Are you sure the password you created for your gmail or Facebook account strong enough? Well, if you went by the green bar that indicated your password to be strong enough, then it may not be as fool-proof as you thought, warns new research slated to be published in the journal ACM Transactions on Information and System Security. The new research from the Concordia University exposes the weakness of password strength meters, and shows consumers should remain sceptical when the bar turns green in order to create strong passwords.
"We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another," said lead researcher professor Mohammad Mannan. "These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters," he added.
Researchers sent millions of not-so-good passwords through meters used by several high-traffic web service providers, including Google, Yahoo!, Dropbox, Twitter and Skype. They also tested some of the meters found in password managers, allegedly designed with the relevant expertise. But on the other hand, our findings may help design better meters, and possibly make them an effective tool in the long run," said co-researcher Xavier de Carne de Carnavalet.
So what can companies do? Start by emulating Dropbox, the researchers recommend. The popular file-sharing site had the most robust password strength meter, and the software is open-source. "Dropbox's rather simple checker is quite effective in analysing passwords, and is possibly a step towards the right direction.
"Any word commonly found in the dictionary will be automatically be caught by the Dropbox meter and highlighted as weak," Mannan explained. "That automatically prompts users to think beyond familiar phrases when creating passwords," he said.