Skip to main content
  1. Home
  2. Computing
  3. News

Web consultant says meters don’t measure true strength of passwords

Jonathan Keane
By

have i been pwned owner uncovers 13 million plaintext passwords leaked from free webhost is a safe password even possible we
guteksk7/Shutterstock
We’ve all gone through the process of trying to sign up for a website, only to be told our password isn’t strong enough. But these password strength meters may not be all they’re cracked up to be and may be only giving the illusion of security.

According to Mark Stockley, founder of web consultancy Compound Eye, these meters don’t actually measure strength at all. Stockley tested five different password meters, first in March 2015 and then 18 months later. He says none of them improved during that time.

Writing for Sophos, he explained that password meters only attempt to measure how long it would take to crack the password. A meter on the website typically suggests you use a long password with uppercase and lowercase characters and symbols like question marks and exclamation points.

“A strong password is one that is highly resistant to attempts to crack it with online or offline dictionary attacks,” he said. “The only good way to measure the strength of a password is to try and crack it — a serious and seriously time-consuming business that requires specialist software and expensive hardware.”

As part of his tests, Stockley ran five passwords that he deemed terrible through the meters. If the meters were up to par, they would reject them. The five passwords were “abc123,” “trustno1,” “ncc1701,” “primetime21,” and “iloveyou!” More often than not, the passwords passed the meter with some getting a “good” or “normal” result.

To further corroborate his findings, Stockley was able to crack these five passwords with the open source tool John the Ripper, making it clear that the passwords weren’t cut out for securing your accounts.

So nothing had improved in over a year. In his latest tests, Stockley added a sixth password meter, the very popular zxcvbn, which is used by Dropbox and WordPress. It deemed all five terrible passwords “very weak,” marking something of an improvement.

However, Stockley still remains highly critical of password meters that “muddy the waters with misleading or ambiguous terminology and colors,” and encouraged the use of two-factor authentication.

Editors' Recommendations

Big tech firms are teaming up to banish passwords for good

Silhouette of male hand typing on laptop keyboard at night.

Using Google Keep on a Samsung S21? Don’t install One UI 4

The rear panel of the Samsung Galaxy S21 showing its triple cameras.

Are you using one of these passwords? If so, it’s time for a change

Passwords locked on Mac.

Please don’t buy an iMac right now

apple imac 5k 27 inch review 2020 03

With Tesla bleeding money, Elon Musk initiates hardcore spending review

Tesla Model Y front

The Galaxy Tab S8 has renewed my faith in Android tablets

A Samsung Galaxy Tab S8 is held up on top of a desk.

Best Apple deals and sales for June 2022

dell xps 15 vs macbook pro 16 apple ry 14 1200x9999

The 72 best movies on Hulu right now (June 2022)

Astronaut on the moon during the Apollo 11 Mission.

AMD’s 7000-series GPUs may be its most power-hungry cards yet

An AMD RX 6000 graphics card with the Radeon branding.

Intel serves up new benchmarks for Arc Alchemist, but can you trust them?

An Intel Arc Alchemist laptop with the Arc logo displayed.

New Siri remote for Apple TV could be easier to find with an embedded AirTag

The Siri Remote in someone's hand.

This Lenovo laptop is discounted by $1,364 (yes, you read that right)

A view of the opened ThinkPad X1 Carbon Gen 9.

Best gaming PC deals: Get a high-end rig from $520 today

The HP Pavilion desktop computer accompanied by two gaming monitors and a colorful gaming keyboard.