Password Strength Meters – more harm than good?
(Last updated on July 30, 2019)
Fact one, passwords are here to stay, at least for the near future. Fact two, users have not gotten any better at making them stronger, or using additional factors during authentication. To help users with this seemingly impossible task, many web services offer a password strength meter during the account signup process. With its uncanny resemblance to traffic lights (red: weak, yellow: medium, green: strong), the coloured meters create a false sense of security for password challenged users – which is the bulk of us.
Password strength meters are commonly based on length and the four character classes – numbers, special characters and upper and lowercase letters. The measurement is purely mathematical – how many possible combinations are there of a password using the specified complexity settings. The longer and more complex your password is, the more effective it will be against a brute-force attack. But, complexity does not take into account how users usually structure their passwords, leaving user predictability completely exposed.
A study of 1200 passwords by Helen Petrie, Ph.D., a professor in human computer interaction, identified four password genres. The most popular, family-oriented followed by fans, symbolized people, events, or a lifestyle with an emotional value. To aid with memorization, the root word or phrase of a password commonly falls within the above genres. When complexity is required, users have other predictable strategies to cope with memorization:
- Placing number(s) at the end of a password – commonly a significant year, or incrementing numbers
- Leetspeak/character substitution – such @ = a
- Keyboard patterns – 1qa2ws3ed
- Reusing a memorized password
Any sophisticated attacker will use a password dictionary containing popular compositions, character substitution, leetspeak, in addition to lists obtained from other data breaches. With a single breach opening the door to a multitude of other systems, the basic password strength meter is ineffective against password dictionaries, and reuse.
Worse than that, password strength meters can reinforce poor practice. In a 165-participant online study, researchers from Carnegie Mellon University, and Pennsylvania State University investigated user perception of password strength. Many of the participants overestimated the benefits of including digits in their password, and underestimated the predictability of keyboard patterns and common phrases. Since most of the feedback users receive about password strength comes from meters, this misconception can be attributed to a jump from red to green when a user adds an additional character class to their password.
But, not all password strength meters are the same. There are better alternatives like zxcbvn, which go beyond entropy, and weigh common passwords, names, surnames, popular words, and common patterns.
Other criticisms have less to do with the strength of the password, and more to do with the feedback given to users. Going from one extreme (weak) to another (strong) provides little constructive feedback to the user on the quality of the chosen password. The feedback should include tips for strengthening the password against different types of attacks including social engineering and dictionary.