1. Computing

Web consultant says meters don’t measure true strength of passwords

By

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we
guteksk7/Shutterstock
We’ve all gone through the process of trying to sign up for a website, only to be told our password isn’t strong enough. But these password strength meters may not be all they’re cracked up to be and may be only giving the illusion of security.

According to Mark Stockley, founder of web consultancy Compound Eye, these meters don’t actually measure strength at all. Stockley tested five different password meters, first in March 2015 and then 18 months later. He says none of them improved during that time.

Writing for Sophos, he explained that password meters only attempt to measure how long it would take to crack the password. A meter on the website typically suggests you use a long password with uppercase and lowercase characters and symbols like question marks and exclamation points.

“A strong password is one that is highly resistant to attempts to crack it with online or offline dictionary attacks,” he said. “The only good way to measure the strength of a password is to try and crack it — a serious and seriously time-consuming business that requires specialist software and expensive hardware.”

As part of his tests, Stockley ran five passwords that he deemed terrible through the meters. If the meters were up to par, they would reject them. The five passwords were “abc123,” “trustno1,” “ncc1701,” “primetime21,” and “iloveyou!” More often than not, the passwords passed the meter with some getting a “good” or “normal” result.

To further corroborate his findings, Stockley was able to crack these five passwords with the open source tool John the Ripper, making it clear that the passwords weren’t cut out for securing your accounts.

So nothing had improved in over a year. In his latest tests, Stockley added a sixth password meter, the very popular zxcvbn, which is used by Dropbox and WordPress. It deemed all five terrible passwords “very weak,” marking something of an improvement.

However, Stockley still remains highly critical of password meters that “muddy the waters with misleading or ambiguous terminology and colors,” and encouraged the use of two-factor authentication.

Editors' Recommendations

How to password protect a folder in Windows and MacOS

How to change your Yahoo password

yahoo account hack how to protect yourself on tablet 640x0

How to change your Outlook password

outlook email

LastPass vs. 1Password

florida court phone passwords android lock screen password

How to force quit on a Mac

How to force quit on a mac

Give your router new superpowers by installing DD-WRT

report advises governments to avoid encryption backdoors internet router

How to install fonts on a Mac

How to livestream on YouTube with OBS

How to make Windows 10 look like Windows 7

How to play Xbox One games on your PC

How to print to PDF in MacOS

apple refreshes imacs new graphics intel processors imac gets 2x more performance father and child on 03192019

How to send a text message from a computer

How to zoom in on a Mac

How to set up a VPN

best VPN services

How to set up a wireless router

How to set up multiple monitors for PC gaming