Skip to content
Technology & Innovation

Do Password Meters Help Or Hurt?

New research shows that people presented with an indicator showing the strength of their password created stronger passwords that were also memorable. However, the evaluation method itself is flawed.
Sign up for the Smarter Faster newsletter
A weekly newsletter featuring the biggest ideas from the smartest people

What’s the Latest Development?


At a recent SIGCHI conference in Paris, researchers presented their paper describing the effect of password meters on users’ choices of passwords. Test subjects who were asked to evaluate the usability of a university computer system were instructed to change their password. Those who were presented with one of two different types of meters — one that ranked the password’s strength, and one that compared the password’s strength with other user passwords in the system — created significantly stronger passwords than those in the control group, who saw no meter. Additionally, when invited to return two weeks later, the people who’d been helped by the meter had no more difficulty remembering their passwords than those in the control group.

What’s the Big Idea?

Password meters use a common form of evaluation known as “zero-order entropy” to determine the strength or weakness of a given password. While the researchers’ results are promising, the evaluation methodology has a significant flaw: Passwords consisting of certain words in various spelling combinations may be considered strong (for example, “Pa$$word1”), but if the words are common enough, they are more vulnerable than passwords made up of random characters (for example, “lkx8q2pe0″) that score as less strong. One recommendation for fixing the flaw: “[Ban] the one million most commonly used words.”

Photo Credit: Shutterstock.com

Read it at Ars Technica

Sign up for the Smarter Faster newsletter
A weekly newsletter featuring the biggest ideas from the smartest people

Related

Up Next
The image above maps the location of more than 150,000 geocoded tweets that contained words deemed to be racist, homophobic or that targeted people with disabilities.