Password meters actually work
Posted on 15 May 2013.
Password strength meters work, but only when users are choosing or changing passwords for "important" accounts, a group of researchers has found. They also confirmed that users are no more likely to forget a "strong" password than a "weak" one.

By using two different types of meters and checking their results against those provided by a control group that was not faced with one, they discovered that it doesn't matter what type of meter is used - whether it depends on peer-pressure or on the existing motivation of selecting a password that would be considered "strong", whether it was vertical or horizontal, or whether it used words, graphics or both - so long as it's used.

The testing has been performed both in a laboratory and in the field, and the tested individuals were unaware that passwords were the subject of the experiment so that their actions would not be influenced - the researchers simply added an account creation page to a website being used for another, unrelated study.

"One of our findings is that password meters do not yield much improvement in helping users choose passwords for unimportant accounts, yet they are very commonly deployed in such contexts. Equally, where meters make a difference— password changes for important accounts—they are less often seen. Thus, practice at real sites appears to be very far from what our results dictate. This indicates a real opportunity for improvement," the researchers pointed out.

The report includes more details about the researchers' approach and tentative conclusions about password reuse and other things, and is a really good read that also touches on a (in my opinion) not enough known tendency of people to heed subtle encouragements or nudges - a tendency that should definitely be taken in consideration for creating more secure and user-friendly systems.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Thu, Feb 4th