An analysis of password-strength meters has revealed that some of the most popular products fail to accurately categorize the security of user-generated passwords. Strings of characters and numbers that would be easy for malicious entries to deduce were not appropriately flagged according to security experts.
The research was conducted by web consultant Mark Stockley and posted on the blog Naked Security. Password-strength meters are a common feature of any interface that requires new users to create a unique password. The meter analyzes the predictability of the password and then rates it on a scale typically ranging from very weak to strong.
In order to test the efficacy of these meters, Stockley chose five passwords included on the list of the 10,000 most common passwords. The entries chosen were abc123, trustno1, ncc1701 (registration number of the USS Enterprise) iloveyou!, and primetime21. Stockley then entered these passwords into the first five entries to appear on a Google search of the term “Query strength meter.”
In an ideal scenario, all five of these passwords would have immediately been flagged as very weak, indicating to the user that his chosen password would be very easy for even an amateur hacker to figure out. Stockley also tested the five passwords in a password-strength meter called zxcvbn that is open source, used by popular sites like Dropbox, and widely considered to offer reliable guidance. This meter was intended to serve as a control
The five meters initially tested returned ratings ranging from weak, to normal/mediocre, to good in a few cases. This is in spite of the fact that the five tested passwords are considered some of the very worst options available to users. The zxcbvn meter rated all five as very weak.
This research comes in the wake of a report from the information security consultancy firm Praetorian showing that four out of the five most common causes of data breaches related to stolen credentials rather than malware or zero day threats.
Password strength is integral to personal and enterprise data security because password authentication can be used to override even the most sophisticated threat avoidance measures. Predicting a password is also significantly easier than developing a successful malware product.
Experts warn that simply capitalizing a letter or adding a number in place of another character does not transform a weak password into a strong one. Hackers have a sophisticated understanding of user behavior and often make predictable and correct substitutions when their initial guesses turn out to be wrong.
Stockley’s research reveals that it is imperative for users to gravitate away from familiar and therefore predictable passwords, and to rely on quality meters that offer a realistic analysis of a password’s strength.