Sites using password strength meters criticised by security expert

Tuesday, August 23, 2016 - 17:18 by Graham Miller

When creating an account on a website which purports to offer safe shopping online, consumers will usually be asked to provide a password which will be used to grant them access in the future and prevent malicious third parties from logging in.

In an attempt to encourage people to choose passwords that are difficult to guess, some sites include a strength meter which gauges the resilience of a password in real time as it is entered. But industry expert Mark Stockley has argued that this system is actually having the opposite effect, according to the Register.

In a test of five of the most widely used strength meters, Stockley found that that not one of them was capable of identifying the entry of the most widely used and thus weakest passwords currently in circulation.

He went through some of the top phrases from a list of thousands of passwords which are regularly chosen by people from across the world, many of which are thoroughly clichéd and thus entirely possible for a hacker to guess in just a few attempts. Some of the strength meters even said that a password as basic as ‘abc123’ was strong enough to avoid being compromised. This is clearly not the case.

Even password meters which are deemed to be above average in terms of their ability to pick out weak phrases did not manage to pass Mr. Stockley's tests. And his findings back up an earlier report from Microsoft which said that these meters really did little to improve things and could actually give people a false sense of security by failing to detect easily guessable passwords.

Experts recommend that people who want to enjoy safe shopping online should select passwords that contain a random mix of letters and numbers, while avoiding obvious choices such as names, dates of birth and basic phrases.