Because people are generally unable to come up with rock-solid passwords on their own, many websites that require user-generated passwords employ “password strength meters” which inform users how secure their chosen password is.
If you choose “Puppy” as a password, you’re liable to be told your password is weak and encouraged, if not downright forced, to pick a new one. On the other hand, picking something like “24DoYz@93mU” will likely see you pass with a “strong password” blessing.
Now, new research has discovered that the reliability of many password strength meters themselves may not be all its cracked up to be.
Specifically, researchers at Concordia University in Montreal found that the same password will often yield inconsistent results across varying password strength meters on different websites.
For the study, forthcoming in the journal ACM Transactions on Information and System Security (TISSEC), researchers Mohammad Mannan and Xavier de Carné de Carnavalet sent millions of not-so-good passwords through metres used by several high-traffic web service providers including Google, Yahoo!, Dropbox, Twitter and Skype.
“We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another,” says Mannan, who is an assistant professor with Concordia’s Institute for Information Systems Engineering.
All the same, the need for password strength meters is as important today as ever. Unfortunately, many people today still opt for passwords that are dictionary words while others, believe it or not, still use easy to guess numeric strings based on their birthdays and other easy to guess frameworks.