Skip to main content

Web consultant says meters don’t measure true strength of passwords

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we
guteksk7/Shutterstock
We’ve all gone through the process of trying to sign up for a website, only to be told our password isn’t strong enough. But these password strength meters may not be all they’re cracked up to be and may be only giving the illusion of security.

According to Mark Stockley, founder of web consultancy Compound Eye, these meters don’t actually measure strength at all. Stockley tested five different password meters, first in March 2015 and then 18 months later. He says none of them improved during that time.

Recommended Videos

Writing for Sophos, he explained that password meters only attempt to measure how long it would take to crack the password. A meter on the website typically suggests you use a long password with uppercase and lowercase characters and symbols like question marks and exclamation points.

Please enable Javascript to view this content

“A strong password is one that is highly resistant to attempts to crack it with online or offline dictionary attacks,” he said. “The only good way to measure the strength of a password is to try and crack it — a serious and seriously time-consuming business that requires specialist software and expensive hardware.”

As part of his tests, Stockley ran five passwords that he deemed terrible through the meters. If the meters were up to par, they would reject them. The five passwords were “abc123,” “trustno1,” “ncc1701,” “primetime21,” and “iloveyou!” More often than not, the passwords passed the meter with some getting a “good” or “normal” result.

To further corroborate his findings, Stockley was able to crack these five passwords with the open source tool John the Ripper, making it clear that the passwords weren’t cut out for securing your accounts.

So nothing had improved in over a year. In his latest tests, Stockley added a sixth password meter, the very popular zxcvbn, which is used by Dropbox and WordPress. It deemed all five terrible passwords “very weak,” marking something of an improvement.

However, Stockley still remains highly critical of password meters that “muddy the waters with misleading or ambiguous terminology and colors,” and encouraged the use of two-factor authentication.

Jonathan Keane
Former Digital Trends Contributor
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Quick! This HP Envy with a touchscreen is $550 off for a limited time
HP Envy 16 2023 front view showing display and keyboard deck.

Looking for laptop deals that are both stylish and powerful? Check out what Best Buy has to offer. Right now, you can buy the HP Envy 16-inch laptop with a touchscreen for just $950. It normally costs $1,500, so you’re saving $550 while gaining plenty of powerful hardware. This clearance deal won't be around forever, and it's ideal for anyone who wants a MacBook competitor that also offers some gaming prowess.

Why you should buy the HP Envy 16-inch touchscreen laptop
HP is one of the best laptop brands you can buy, so the HP Envy 16-inch touchscreen laptop is instantly worth checking out. In our HP Envy 16 review, we described it as a “cheaper MacBook” with “solid productivity and creative performance” as well as “competitive gaming performance." That’s rounded off nicely with an “excellent keyboard and touchpad.”

Read more
The stars are aligning for a perfect PC handheld — but one thing’s missing
The Lenovo Legion Go S with SteamOS installed.

At CES 2025, I saw some of the most exciting developments in the world of handheld gaming PCs that I've ever seen, but completely absent from the conversation was Nvidia. It's a world dominated by AMD with its semi-custom designs like the new Ryzen Z2 range, and one that Intel is slowly working its way into with devices like the MSI Claw 8 AI+. Team Green, by comparison, doesn't seem interested.

An Nvidia handheld wouldn't inherently be better than the crop of AMD-powered devices we have now, from the Steam Deck OLED to the new Lenovo Legion Go S, but Nvidia already has features and hardware that fit the ethos of handhelds perfectly. But even with so much going for Nvidia in handhelds, it remains one tough nut to crack.
It's all coming together

Read more
Sony’s flip-up XR headset costs even more than an Apple Vision Pro
Sony's SRH-S1 held in a hand at CES 2025.

Sony is one of the biggest names in VR gaming with the popular PlayStation VR2. Now it’s launching a high-end XR headset with specifications that rival the Apple Vision Pro. To be clear, this isn’t the Sony XYN headset powered by Google's new Android XR, and it won’t connect to a PlayStation 5. It’s aimed at enterprise customers that design products, and it costs even more than the ultra-premium Vision Pro.

Priced at $4,750, the Sony SRH-S1 is a powerful system with integrated hardware and software, a flip-up visor, and unique controllers optimized for manipulating virtual 3D objects. Being able to lift the visor for face-to-face conversations is convenient. The halo strap design also removes all facial pressure. A ring on one finger lets you grasp items, and a 3D stylus that looks like something from a sci-fi movie allows precise adjustments.

Read more