When you make a new account for any sort of web site or service, there’s usually a helpful-looking meter to tell how strong the password you came up with is. Don’t listen to those meters.
As time goes on, password cracking tools get better, authentication standards improve to compete with crackers and best password practices adapt. But according to Mark Stockley at Naked Security, password strength meters have pretty much stayed the same. Last March, Stockley tested five popular password strength meters and they all failed. Now, over a year later, they still failed his simple experiments. For his tests, Stockley picked five passwords from the list of the 10,000 most common passwords:
- abc123 — number 14 on the list, first to mix letters and numbers
- trustno1 — number 29, second to mix letters and numbers
- ncc1701 — number 158, registration number of the USS Enterprise
- iloveyou! — number 8778, first with non-alphanumeric character
- primetime21 — number 8280, longest with letters and numbers
Then he tested them against five readily available password strength meters: jQuery Password Strength Meter for Twitter Bootstrap, Strength.js, Mato Ilic’s PWStrength, FormGet’s jQuery Password Strength Checker, Paulund’s jQuery password strength demo and zxcvbn (a sophisticated, open source meter used by Dropbox and WordPress). When it was all said and done, all but zxcvbn failed, and some even declared the passwords above as “Good”. Stockley’s research confirms what you’ve probably been thinking all along: Password strength meters don’t actually help you secure your account very well. You’re better off with a decent password manager. You can read more about Stockley’s experiments at the link below.
Why you STILL can’t trust password strength meters [Naked Security]