Ankita
Member • Mar 26, 2015
Weakness In Password Strength Meters Exposed By Concordia University Research
Our digital lives dictate us to use passwords on a daily basis. Be it for checking your mail or getting access to a new application, passwords have become a norm for protecting our account details. Though it is well known that attackers are able to guess or crack these passwords with various techniques and to fight that various apps want you to keep stronger passwords. In fact, most apps we use today, don't let us move forward till we choose a password that adheres to their security policies via password-strength meters or checkers. However, the recent study by researchers at Concordia University suggests that these meters do not significantly improve the user's password quality and thus aren't really doing much to protect the user's account from password cracking attacks.
If you have created an account on Google or Amazon or any other popular web-based service recently, you must've seen the red / yellow / green bar that rates the new password’s strength. If you try different combinations of alphanumeric characters, special symbols and different cases, you will find that these meters let you choose passwords like "Password1+" which is not only a very weak password but also evidence enough to questioning the effectiveness of these so called password meters or checkers. Therefore, researchers Mohammad Mannan and Xavier de Carné de Carnavalet from Concordia University's Institute for Information Systems Engineering, took up the task of testing the strength of various password meters and exposed that they are indeed very weak.
Assistant Professor Mohammad Mannan and his colleagues
The researchers duo sent millions of passwords through meters used by several popular websites including Google, Dropbox, Twitter, Yahoo! and Skype and found that most of their password systems were based on ad-hoc design and the results were highly inconsistent. The passwords that were considered strong on one site would be called weak on another site's password meter/checker. So, the team documented several source-available meters; inferred the algorithm behind the closed-source ones; and measured the strength labels assigned to common passwords from several password dictionaries.
In their paper titled 'A Large-Scale Evaluation of High-Impact Password Strength Meters', the researchers have shared details of their analysis of how the server-end of some web service meters functions, provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. They believe that their research and findings may help design better meters and even develop an effective tool in the days to come.
To further enforce his point about keeping strong passwords that aren't easily crackable, Mr. Mannan created an add-on to generate object-based passwords from private images, SelfiePass/ObPwd for #-Link-Snipped-# and #-Link-Snipped-#. To read the team's entire research work, check their PDF forthcoming in the journal ACM Transactions on Information and System Security (TISSEC).
What are your thoughts about password strength meters found on your favorite websites? Share with us in comments below.
Source: Does your password pass muster? - Concordia University
If you have created an account on Google or Amazon or any other popular web-based service recently, you must've seen the red / yellow / green bar that rates the new password’s strength. If you try different combinations of alphanumeric characters, special symbols and different cases, you will find that these meters let you choose passwords like "Password1+" which is not only a very weak password but also evidence enough to questioning the effectiveness of these so called password meters or checkers. Therefore, researchers Mohammad Mannan and Xavier de Carné de Carnavalet from Concordia University's Institute for Information Systems Engineering, took up the task of testing the strength of various password meters and exposed that they are indeed very weak.
Assistant Professor Mohammad Mannan and his colleagues
The researchers duo sent millions of passwords through meters used by several popular websites including Google, Dropbox, Twitter, Yahoo! and Skype and found that most of their password systems were based on ad-hoc design and the results were highly inconsistent. The passwords that were considered strong on one site would be called weak on another site's password meter/checker. So, the team documented several source-available meters; inferred the algorithm behind the closed-source ones; and measured the strength labels assigned to common passwords from several password dictionaries.
In their paper titled 'A Large-Scale Evaluation of High-Impact Password Strength Meters', the researchers have shared details of their analysis of how the server-end of some web service meters functions, provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. They believe that their research and findings may help design better meters and even develop an effective tool in the days to come.
To further enforce his point about keeping strong passwords that aren't easily crackable, Mr. Mannan created an add-on to generate object-based passwords from private images, SelfiePass/ObPwd for #-Link-Snipped-# and #-Link-Snipped-#. To read the team's entire research work, check their PDF forthcoming in the journal ACM Transactions on Information and System Security (TISSEC).
What are your thoughts about password strength meters found on your favorite websites? Share with us in comments below.
Source: Does your password pass muster? - Concordia University