Password Strength Meters Are Still Untrustworthy
When you create a new account for any type of website or service, there is usually a useful counter that shows how strong the password you come up with is. Don’t listen to these meters.
Over time, password cracking tools keep getting better , authentication standards are improving to compete with crackers, and best password practices are adopted . But according to Mark Stokely of Naked Security , the password strength indicators have remained largely unchanged. Stokely tested five popular password strength meters last March , and they all failed. Now, over a year later, they still have failed his simple experiments. Stokely chose five passwords for his tests from a list of the 10,000 most common passwords :
- abc123 is the number 14 in the list, the first to mix letters and numbers
- trustno1 – number 29, the second for mixing letters and numbers
- ncc1701 – number 158, registration number USS Enterprise
- I love you! – number 8778, the first with a non-alphanumeric character
- primetime21 – number 8280, the longest of letters and numbers
He then tested them on five available password strength meters: jQuery Password Strength Meter for Twitter Bootstrap, Strength.js, Mato Ilic’s PWStrength, FormGet’s jQuery Password Checker, Paulund’s jQuery Password Strength Meter, and zxcvbn (a sophisticated open source meter). from Dropbox and WordPress). When all was said and done, everyone but zxcvbn failed, and some even declared the passwords above as “Good”. Stokely’s research confirms what you’ve probably been thinking all along: password strength meters don’t really help protect your account very well. You will be better off with a decent password manager . You can read more about Stokely’s experiments at the link below.
Why You Still Can’t Trust Password Strength Meters | Naked security