The most secure system in the world is vulnerable to cyberattack if users choose passwords that are easy to guess. For that reason, many common systems and website employ password meters—indicators, using graphics or text, that show the strength of the user’s chosen passwords.

However, some of the advice offered on common password meters on some of the world’s most popular websites is inconsistent and misleading, and it could be doing more harm than good, according to a study from the University of Plymouth that assessed the effectiveness of 16 password meters that people are likely to use or encounter on a regular basis.

The study tested 16 passwords against the various meters, with 10 of them being ranked among the world’s most commonly used passwords, including “password” and “123456.” The meters used were from popular online websites as well as various handheld devices. Of the 10 explicitly weak passwords, only five of them were consistently scored as such by all the password meters, while “Password1!” performed far better than it should do and was even rated strongly by three of the meters.

Apart from the vulnerability to cyberattack, this inconsistency among common password meters fails to educate users about what constitutes a secure password.

“What this study shows is that some of the available meters will flag an attempted password as being a potential risk whereas others will deem it acceptable,” says study author Steve Furnell, of the Centre for Security, Communications and Network Research at the University of Plymouth. “Security awareness and education is hard enough, without wasting the opportunity by offering misleading information that leaves users misguided and with a false sense of security.”

In previous work, Furnell has suggested that global companies such as Amazon could be doing more to raise awareness of the need for better password practices. He has also shown that over the space of a decade, most of the top 10 English-speaking websites had not updated the password guidance they offer consumers despite the increased threat of global cyberattacks.

One positive finding of Furnell’s most recent study was that a browser-generated password was consistently rated strong, meaning users can seemingly trust these features to do a good job.

“Password meters themselves are not a bad idea, but you clearly need to be using or providing the right one,” Furnell wrote in his study’s conclusion. “It is also worth remembering that, regardless of how the meters handled them, many systems and sites would still accept the weak passwords in practice and without having offered users any advice or feedback on how to make better choices.

“While all the attention tends to focus on the replacement of passwords, the fact is that we continue to use them with little or no attempt being made to support users in doing so properly. Credible password meters can have a valuable role to play but misleading meters work against the interest of security and can simply give further advantage to attackers.”

Reference

  1. Furnell S. Password meters: Inaccurate advice offered inconsistently? Computer Fraud & Security. 2019;11:6–14. doi.org/10.1016/S1361-3723(19)30116-2.