Password Strength Meters Really Do Encourage Better Passwords

By Wesley Fenlon

Judgmental red text does its job, but only under the right conditions.

The meter sneers back at you, its bar only halfway filled. The red text is half warning, half condemnation. Password strength: Weak. What do you do? Maybe you delete your clearly unworthy password--a password you may have used on other sites. Or maybe you just go with it--what does that meter know, anyway?

According to a new scientific study written up on Ars Technica, password meters do actually have a positive effect on some people as they set up their passwords online. What's interesting is when password strength meters have a positive influence. When users are setting up passwords for new accounts, the meters don't really affect them, because they're most likely to just default to a password they've previously used. But when users are changing existing passwords on high-value accounts to improve their security, the strength meter encourages them to pick a password that earns a strong rating.

Photo credit: Flickr user formalfallacy via Creative Commons.

Even better: After two weeks, the study's participants who changed their passwords to be longer and more complex had no more trouble remembering them. Unfortunately, a couple negative statistics weigh down the findings. For one, meters appear rarely on pages for changing an existing password. And even worse, while the meters demonstrably do cause Internet users to aim for safer passwords, the rating system behind those meters isn't the best benchmark for security.

"the widely used zero-order entropy rating system is a poor metric for measuring the strength of passwords," writes Ars Technica. "The strength of the passcodes "Pa$$word1" and "$ecretPa$$word1" (minus the quotes) is 59.1bits and 98.5bits respectively. That's much higher than many passwords offer. What the scoring system fails to account for is that both passwords are so widely used that they're inevitably included in wordlists used in cracking attacks. These are among the first passwords to fall in typical cracking attacks. By contrast, the password "lkx8q2pe0" is considerably stronger because it would require time-consuming brute-force techniques to crack it, and yet it offers just 46.5 bits."

Ars goes into greater detail about the methodology of the test--check it out, and remember to enable two-factor authentication on your accounts when possible.