Password strength metres may offer misleading advice

Password strength metres may offer misleading advice

Metres in popular websites, which tell users if their new passwords are strong enough, can be 'inconsistent and misleading' offering advice that may actually be doing more harm than good, a new study says.

The researchers from the University of Plymouth in the UK tested the effectiveness of 16 password metres that people are likely to use or encounter on a regular basis.

They mainly focussed on dedicated password metre websites but also assessed those embedded in common online services such as Dropbox and Reddit, and those found as standard options on some devices.

The study, published in the journal Computer Fraud and Security, said there is a clear level of variation in the advice offered across the different websites.

While some of these metres steer users towards more secure account passwords, the researchers said, some don't pick them up when they try to use 'abc123', 'qwertyuiop' and 'I love you', which are listed among the worst passwords of 2019.

"Over the festive period, hundreds of millions of people will receive technology presents or use their devices to purchase them. The very least they should expect is that their data will be secure and, in the absence of a replacement for passwords, providing them with consistent and informed guidance is key in the quest for better security," said study author Steven Furnell.

According to the study, some of the available metres may flag an attempted password as a potential risk whereas others may deem it acceptable.

"Security awareness and education are hard enough, without wasting the opportunity by offering misleading information that leaves users misguided and with a false sense of security," Furnell said.

Testing 16 passwords against the various metres, the researchers said, ten of them were ranked among the world's most commonly used passwords -- including 'password' and '123456'.

Of these ten explicitly weak passwords, only five were consistently scored as such by all the password metres.

Among the ten, 'Password1!' performed far better than it should do, and was even rated strongly by three of the metres, the researchers said.

One positive finding from the study mentioned by the scientists was that a browser-generated password was consistently rated strong, meaning users can seemingly trust these features to do a good job.

Furnell said password metres themselves are not a bad idea, but the right one needed to be used.

"It is also worth remembering that, regardless of how the metres handled them, many systems and sites would still accept the weak passwords in practice and without having offered users any advice or feedback on how to make better choices," he added.

Furnell cautioned that misleading metres may work against the interest of security and can simply give further advantage to attackers.

Get a round-up of the day's top stories in your inbox

Check out all newsletters

Get a round-up of the day's top stories in your inbox