Why You Shouldn't Trust Password Strength Meters
Weak. Very Weak. Good. Strong. Online password strength meters are like those carnival mallets that measure how hard you can smash something—or, in this case, how secure you’ve made your access code for a website. But according to Naked Security consultant Mark Stockley, they might not be as trustworthy as you think.
Stockley recently conducted an experiment in which five strength meters were selected based on their high return results from a web search. He used five common, easily cracked passwords—including NCC1701, the registration number of the Star Trek starship Enterprise, and trustno1, an ironically weak nod to security paranoia—and looked to see how the meters responded to his purposefully lame attempts at privacy protection.
In every case, the meters failed to reject any of the passwords as being too ineffectual; one rated trustno1 as “good.” It’s currently ranked 29 on a list of the 10,000 most common passwords.
The problem, according to Stockley, is that it’s virtually impossible to know whether a web site is using an effective meter or whether they’re using any number of programs that fail to notify users of their easily-cracked passwords. There’s also the problem of following a meter’s prompts to increase the strength of a password by adding a number or capitalizing a letter. Hackers aren’t oblivious to this ploy, and can do the same.
If you can’t trust the meter, now what? Naked Security’s advice is to avoid quotations, pet names, birthdays, or social media references. Try to come up with utter nonsense involving uppercase, lowercase, numbers, and punctuation at least 14 characters long. If it’s a phrase you’ve heard on Star Trek, it’s probably not going to do you any good.