A new research has warned that users of online services provided by Amazon, eBay, Gmail, Microsoft and others should be sceptical about password strength metres as they are not all created equally.
While generating a new password, online services tend to provide a guide commonly known as password strength metre that is represented through a green bar that indicates how strong the password you have chosen is. Researchers say that these green bars may not be as fool-proof as you thought.
A new research from the Concordia University exposes the weakness of password strength meters, and shows consumers should remain sceptical when the bar turns green in order to create strong passwords.
“We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another,” said lead researcher professor Mohammad Mannan. “These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these metres.”
Researchers sent millions of not-so-good passwords through metres used by several high-traffic web service providers, including Google, Yahoo!, Dropbox, Twitter and Skype. They also tested some of the metres found in password managers, allegedly designed with the relevant expertise.
But on the other hand, our findings may help design better metres, and possibly make them an effective tool in the long run,” said co-researcher Xavier de Carne de Carnavalet.
So what can companies do? Start by emulating Dropbox, the researchers recommend.
The popular file-sharing site had the most robust password strength metre, and the software is open-source.
“Dropbox’s rather simple checker is quite effective in analysing passwords, and is possibly a step towards the right direction.
“Any word commonly found in the dictionary will be automatically be caught by the Dropbox metre and highlighted as weak,” Mannan explained.
“That automatically prompts users to think beyond familiar phrases when creating passwords,” he said.
“We’ve contacted most of the companies we examined in our study but so far our results are falling on deaf ears,” Mannan says. One company dropped their metre while another fixed a simple bug — no other changes were observed even after a year.
For now, it’s up to individuals to ensure their passwords are strong by using full character set random passwords. Of course, remembering those passwords is easier said than done.
In this context it’s meters not metres! Grrrrrrrr…