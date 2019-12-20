Left Menu
Misleading password meters can give further advantage to hackers

Notably, of the 16 tested passwords, ten were explicitly weak passwords and only five of them were consistently scored as such by all the password meters. 

The study revealed that while some meters do effectively steer users towards more secure account passwords, others will deem an attempted password acceptable.  Image Credit: Pixabay

Researchers at the University of Plymouth recently examined the effectiveness of popular password meters that help people choose strong passwords to secure their confidential data against the cybercriminals.

Dedicated password meters in some of the world's most popular websites and also those embedded in some common online services including Dropbox and Reddit offer 'inconsistent and misleading' advice which could actually be doing more harm than good, according to the study published in 'Computer Fraud and Security' journal.

The study conducted by Steve Furnell, Professor of Information Security and Leader of the Centre for Security, Communications and Network Research, analyzed 16 passwords, including the world's most commonly used passwords ('password' and '123456') against the meters. The study revealed that while some meters do effectively steer users towards more secure account passwords, others will deem an attempted password acceptable.

Password meters themselves are not a bad idea, but you clearly need to be using or providing the right one. It is also worth remembering that, regardless of how the meters handled them, many systems and sites would still accept the weak passwords in practice and without having offered users any advice or feedback on how to make better choices

Furnell

The only positive finding of the study was that a browser-generated password was consistently rated strong, meaning users can seemingly trust these features to do a good job.

While all the attention tends to focus on the replacement of passwords, the fact is that we continue to use them with little or no attempt being made to support users in doing so properly. Credible password meters can have a valuable role to play but misleading meters work against the interest of security and can simply give further advantage to attackers, Furnell concluded.

The study author has previously shown that most of the top ten English-speaking websites including Amazon and Wikipedia offer little or no advice guidance on creating passwords that are less likely to be hacked.

