Weakness In Password Strength Meters Exposed By Concordia University Research

Our digital lives dictate us to use passwords on a daily basis. Be it for checking your mail or getting access to a new application, passwords have become a norm for protecting our account details. Though it is well known that attackers are able to guess or crack these passwords with various techniques and to fight that various apps want you to keep stronger passwords. In fact, most apps we use today, don't let us move forward till we choose a password that adheres to their security policies via password-strength meters or checkers. However, the recent study by researchers at Concordia University suggests that these meters do not significantly improve the user's password quality and thus aren't really doing much to protect the user's account from password cracking attacks.

If you have created an account on Google or Amazon or any other popular web-based service recently, you must've seen the red / yellow / green bar that rates the new password’s strength. If you try different combinations of alphanumeric characters, special symbols and different cases, you will find that these meters let you choose passwords like "Password1+" which is not only a very weak password but also evidence enough to questioning the effectiveness of these so called password meters or checkers. Therefore, researchers Mohammad Mannan and Xavier de Carné de Carnavalet from Concordia University's Institute for Information Systems Engineering, took up the task of testing the strength of various password meters and exposed that they are indeed very weak.

password-meter-strength-concordia-university-research
Assistant Professor Mohammad Mannan and his colleagues​

The researchers duo sent millions of passwords through meters used by several popular websites including Google, Dropbox, Twitter, Yahoo! and Skype and found that most of their password systems were based on ad-hoc design and the results were highly inconsistent. The passwords that were considered strong on one site would be called weak on another site's password meter/checker. So, the team documented several source-available meters; inferred the algorithm behind the closed-source ones; and measured the strength labels assigned to common passwords from several password dictionaries.

In their paper titled 'A Large-Scale Evaluation of High-Impact Password Strength Meters', the researchers have shared details of their analysis of how the server-end of some web service meters functions, provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. They believe that their research and findings may help design better meters and even develop an effective tool in the days to come.

To further enforce his point about keeping strong passwords that aren't easily crackable, Mr. Mannan created an add-on to generate object-based passwords from private images, SelfiePass/ObPwd for #-Link-Snipped-# and #-Link-Snipped-#. To read the team's entire research work, check their PDF forthcoming in the journal ACM Transactions on Information and System Security (TISSEC).

What are your thoughts about password strength meters found on your favorite websites? Share with us in comments below.

Source: Does your password pass muster? - Concordia University

Replies

You are reading an archived discussion.

Related Posts

Last month, Celkon had launched Millennia ME Q54 and now the Indian mobile manufacturer has expanded its Millennia series by introducing a new affordable smartphone- Celkon Millennia Q450. The company...
Bonitto.in is an extravagant online portal of exclusive Indian Ethnic Wears for Women. Bonitto was co-founded by Hardik Chaudhary and Ritesh Lahoti with an aim to become a one stop...
It is finally here. After months of speculations about super sports bike, Bajaj Auto has taken the wraps off of what is being called the fastest Pulsar yet called Bajaj...
i wish to connect my External Hard Disk (1TB) to a wifi router which would allow me to access files wirelessly using my Samsung Tab 2. please inform me if...
A lot of research is happening in the field biomimicing robotics, where bots' design is inspired from elements in nature, be it insects, birds or animals. One such study in...