A Password-Strength Meter Doesn’t Really Measure Strength at All

Please don’t use a word from the dictionary as your password.

Nicholas Kamm/AFP/Getty Images

If you’ve ever made an online account, then you’ve come across a password strength meter—that little thing that encourages you to add a little more complexity to your credentials. And, if you’re like me, you ultimately acquiesce—though maybe with a sigh of annoyance—because they force a little bit more safety into your online life. But that safety may be an illusion.

On Sophos’ Naked Security, web consultant Mark Stockley writes about his investigation into password strength meters. It was a repeat of an experiment he ran in 2015, and the new results were not encouraging.

To test password strength meters, Stockley used five passwords that would “fail a genuine cracking attempt instantly and then ran them through five popular password strength meters.”  If the strength meters were at all up to muster, they should have rejected any of his proposed passwords. Simply rejecting all of the passwords wouldn’t actually prove that a meter is good, but Stockley says that accepting any of them would be instantly damming.

His five horrible passwords were chosen from a list of the top 10,000 passwords: abc123, trustno1, ncc1701 (registration number of the USS Enterprise), iloveyou!, and primetime21. (If your password is on this list, change it immediately. A hacker’s first move will be to go through common words and passwords people use—like those on this list—when breaking into your account.)

Stockley found the password meters he tested by Googling “jQuerry strength meter” and grabbing the first five that came up. To show what a password strength meter of recognized quality is capable of, Stockley also added zxcvbn—an open-source meter used by Dropbox that he considers a “ringer”—to his test.

Graph by Mark Stocklet courtesy of Naked Security.

So most of the meters identified these passwords as “weak,” while some were “medium,” “normal,” “mediocre,” or “good.” But these are all terrible passwords. The fact that they were rated anything beyond “very weak” is alarming. “The ringer, zxcvbn, identified the five passwords as very weak but none of the first five password strength meters I plucked out of Google did,” Stockley writes.

The bigger problem: Think of a person in your life who you suspect would use abc123 as a password. When faced with a password meter, will he suddenly realize the error of his ways and create a totally random, strong password? Probably not.

When a meter rejects a potential password, many people will simply capitalize an existing letter in their password and add a “1” in place of an “I.” This approach typically appeases a password strength meter. But as Stockley puts it, a hacker’s “first line of attack is likely to be based on dictionary words and rules that mimic the common tricks we use to di5gu!se th3m.”

If you’re worried, watch a video or read an article on how to make a good password. Better yet, set up a password manager. If your password is predictable to you, then it probably is for a hacker as well, given that your dog’s name, your address, and your college mascot could probably be discovered via your digital footprint. And don’t mistake approval from a password strength meter as validation that you actually have a strong password.