Do Password Meters Help Or Hurt?
What’s the Latest Development?
At a recent SIGCHI conference in Paris, researchers presented their paper describing the effect of password meters on users’ choices of passwords. Test subjects who were asked to evaluate the usability of a university computer system were instructed to change their password. Those who were presented with one of two different types of meters — one that ranked the password’s strength, and one that compared the password’s strength with other user passwords in the system — created significantly stronger passwords than those in the control group, who saw no meter. Additionally, when invited to return two weeks later, the people who’d been helped by the meter had no more difficulty remembering their passwords than those in the control group.
What’s the Big Idea?
Password meters use a common form of evaluation known as “zero-order entropy” to determine the strength or weakness of a given password. While the researchers’ results are promising, the evaluation methodology has a significant flaw: Passwords consisting of certain words in various spelling combinations may be considered strong (for example, “Pa$$word1”), but if the words are common enough, they are more vulnerable than passwords made up of random characters (for example, “lkx8q2pe0″) that score as less strong. One recommendation for fixing the flaw: “[Ban] the one million most commonly used words.”
Photo Credit: Shutterstock.com