Passwords are a weak link in the computer security chain because they rely on us being good at something we find extremely difficult.
And while we aren’t getting any better at choosing strong passwords, password cracking hardware and software continues to improve relentlessly.
Website owners can employ a range of measures to help users choose better, stronger passwords and one of the most popular techniques is to include a password strength meter.
The meters are designed to help users understand if their password choices will resist attempts to crack them.
The trouble is, they don’t quite do that.
The best way to determine how difficult it is to crack a password is to try doing just that.
But attempting to crack passwords requires lots of time and lots and lots of processing power, and it isn’t a practical solution for websites.
The next best option is to try to work out what characteristics passwords that are difficult to crack share, and to check for those instead.
Simple password meters check the length and entropy of the password and have checklists for the kinds of things that users are advised to include in their passwords; mixtures of upper and lower case letters, numbers and special characters, for example.
That helps determine a password’s ability to withstand a brute force attack (an attacker making guesses at random), but being resistant to brute force attacks is only useful if that’s what an attacker is going to do, and it probably isn’t.
A brute force attack assumes that all guesses are equally good.
The reality is that some guesses are far better than others because our password choices are not random – they’re underpinned by patterns and habits.
Modern password cracking is about making smart guesses in the order that’s most likely to yield the greatest number of cracked passwords for the least effort.
Attackers can feed their cracking software with huge repositories of real words and then create rules to modify those words in the same way we do when we create passwords.
They know that some words are used more often than others and they know about the cute tricks and bad habits we use to obfuscate them. They know that we use 0s instead of Os and 4s instead of As, and they know that we tend to put our upper case letters, special characters and numbers at the beginning and end of our passwords.
To illustrate the difference, I thought I’d run a test on the kind of password strength meters that web developers are likely to include in a website.
I chose five truly awful passwords and then tested them using the first five embeddable password strength meters I found…
I downloaded a list of the 10,000 most common passwords and quickly chose five that had characteristics I thought password strength meters might overrate:
- abc123 – number 14 on the list, first to mix letters and numbers
- trustno1 – number 29, second to mix letters and numbers
- ncc1701 – number 158, registration number of the USS Enterprise
- iloveyou! – number 8778, first with non-alphanumeric character
- primetime21 – number 8280, longest with letters and numbers
Be in no doubt, these passwords are dreadful and offer no useful protection; they’re short and non-random, they include dictionary words, the numbers are always tacked on the end in a predictable way, and they appear in a list of words anyone can download off the internet.
Just in case you’re still not convinced about how bad they are I’ll show you.
I measured how long it takes to crack them using a password cracking program, John the Ripper, with an out-of-the-box configuration running on a normal, two-year-old laptop. The times are rounded to the nearest second:
|Password||Time to crack (Day:Hour:Min:Sec)|
They were all cracked instantly, before the first second was up. And I was doing it the slow way – a dedicated password cracker would use proper equipment.
To make this as realistic as possible I tested strength meters that come as jQuery plugins.
If you asked a web developer to add a password strength meter to your website there’s a very good chance they’d use a jQuery plugin – a bit of code that can be dropped into almost any website to extend its functionality.
I googled jquery strength meter and picked the first five I came across so, according to Google at least, these are five of the most popular.
I’ve included the same words (abbreviated) and colours that the password strength meters use in my chart:
Remember that it takes 0 seconds to crack any of these passwords. None of the passwords on my list were anything less than awful.
A password strength meter that doesn’t reject all five out of hand is not up to the job of measuring password strength.
They all failed. And not only that, they don’t agree.
There were no good password strength meters in my test but that doesn’t mean there aren’t good ones out there. Unfortunately, because you don’t which one you’ll be using next time you type a password into a website you can’t trust any of them.
I’m not the only one who’s noticed that password strength meters don’t deliver.
Researchers at Concordia University, Montreal published detailed research in 2014 that concluded:
In our large-scale empirical analysis, it is evident that the commonly-used meters are highly inconsistent, fail to provide coherent feedback on user choices, and sometimes provide strength measurements that are blatantly misleading.
There is, however, a faint glimmer of hope.
Research from Microsoft that looked at the success of password strengthening techniques in the real world concluded that despite their inadequacies, password strength meters lead to stronger passwords:
Those who saw a meter tended to choose stronger passwords than those who didn’t, but the type of meter did not make a significant difference.
So, password meters are not a reliable guide to how likely it is that your password will be cracked but they do seem to nudge people in the direction of creating stronger passwords in general.
If you want to know how to be sure that you’re generating strong passwords take a look at our video on how to pick a proper password:
→ Can’t view the video on this page? Watch directly from YouTube. Can’t hear the audio? Click on the Captions icon for closed captions.
Image of tick courtesy of Shutterstock.
52 comments on “Why you can’t trust password strength meters”
I use a password manager on my home pc. I don’t access any personal accounts from any other computers. I have my passwords saved to USB drive that does not leave my computer desk. My boss asked me to check my personal e-mail at work one day, I told her I can’t, I didn’t know the password, there was a pause on the phone, and I told her the above. I’m the network admin, so I suppose she thought I was doing it for a reason. A month later she freaked about hearing a news piece on ransomeware. She really didn’t get the seriousness of hacking and security until then.
But what do you use as a password for the password manager?
The closest I’ve seen to a ‘good’ password strength indicator is ‘zxcvbn’ by the makers of Dropbox. It isn’t a website you can visit but a piece of software you can plug into other websites. It does some very clever things to recognize bad passwords, including having a massive database of insecure passwords. So the password “this is a test” is significantly LESS secure than “this is a tes”, whereas traditional strength indicators will see it as more secure. I include it in all my projects where a password is required.
For my own passwords I use a password manager like Tom, except I use one that syncs across all my machines for convenience.
Yes, I’ve heard good things about the Dropbox password strength meter although I’ve not had a good look myself.
I believe it’s mentioned in the first set of research I cite and I know that it was adopted by WordPress from version 3.7 onwards for its quality.
The database of bad passwords is really important – indeed, IIRC, the second bit of research I cited went to far as to suggest that a list of bad passwords is probably a better place to start than many other methods of ensuring password quality such as poor quality strength meters and password policies.
There is a website you can visit: [deleted]
This is the best I have seen. Not only does it rate the password, it shows time to crack by various cracking speeds, and notes when it’s a commonly used password. I tested, “3edc4rfv5tgb”, which might seem strong and it shows a crack in less than a 1 second to 32min on a fast cracker and also that it’s in a known database!
I set up a Dropbox account, but I can’t find any password checker. I think that this capability is no longer offered by Dropbox.
It’s not a service offered by Dropbox. It’s an open-source code library, source of which is hosted on Github right now: https://github.com/dropbox/zxcvbn
That link is now broken.
Deleted the link, thanks.
Anton Dedov has done some excellent work evaluating password strength meters and zxcvbn does OK.
There are so many rules one could follow that WOULD make good passwords; it’s a shame people don’t use them as much. Simple things like:
Capitalize the SECOND letter of words instead of the first. Or the last.
Put a punctuation mark or number in the middle of your password. Preferably in the middle of a word. But, NOT as a replacement character.
Repeat previous with a number, but again, not replacing a letter.
Deliberately miszspell a word. (Just make sure your misspelling accidentally creates two real word, like “missspell” (“miss” & “spell”) would have if I added an “s” instead.)
Or watch the video 🙂
All incredibly weak rules and tricks. And I don’t mean that as an insult or anything. What you’re describing still takes dictionary words or natural language in any case as a basis and simply applies some methodology of butchering it. Those rules can easily be descripted in a password cracker’s code. And go through all of the possible combinations stupidly fast.
Best still is to just go literally random. Simply because the only avenue of attack that leaves open is bruteforce and that one is very easy to counter — going wide. 16 completely random characters is already harrowing for most bruteforce attacks. Now extend that to 32. Or heck, like my Mojang account’s password — 512. Yeah, that’ll never be bruteforced.
yeah but you’ll also never remember it on your own.
I use an algorithm I’ve memorized which incorporates the name of the site into it, but only for coming up with the characters to use – no substitutions or dictionary words. the result is 32+ char passwords that are random enough to count.
Passfault is an interesting open source project to address many of these inadequacies. http://www.passfault.com/ Not sure if it’s still active.
I think there would be real value to displaying what password meter was being used with a link to it’s methods. Then you could at least decide for yourself if you trust it.
Regarding the implementation details I think that’s a good idea. Most people won’t bother to look but some will and we could use a bit of an arms race.
I tried a few of my dreadful test passwords on passfault and the results are highly ambiguous. For example abc123 is rated at less than 1 day to crack and is identified as one amongst 5 million passwords with the same pattern. It is, but that’s missing the point – abc123 is not just another six character alphanumeric string. It doesn’t have a one in five million chance of being guessed it has about one in fourteen.
For abc123 the only right answer is total rejection in my opinion. zxcvbn seems to be trying to do the things you’re talking about.
the rule of thumb that everyone should be aware of: dictionary/social attack.
1. if your password consists of any word(s) in the dictionary, reguardless of case, number of words, forwards or backwards; then it is unsecure and can be ‘cracked’ within 1 second.
2. if your password is mentioned anywhere on the web, such as a phrase in any language (real or made up), it is insecure and can be ‘cracked’ within 5 seconds. – google can show you the time it takes for its own search engine to match your search words, use this as a guide if you truely believe your poetry (even fake languages) will save you.
3. if your password has anything to do with YOU! :> not just d o b, any address you live(d) at, phone numbers, car reg plate, anything you type on facebook/twitter/social media; your password can be ‘cracked’ in 10 seconds.
This might seem like ‘tin hat’ but these 3 rules are more accurate than you think, possibly even being too generous with the time required.
The time taken by Google to match a search query is unrelated to the time it takes to guess a password that consists of that search string.
I don’t understand one thing – how does a PW cracker know that the PW has been cracked without trying it on the site that requires it?
It should be that 3 tries locks the site perhaps for some fairly lengthy time so extending cracking time.
Please advise – thanks.
Passwords need to be able to withstand two completely different types of attack; offline and online.
If a hacker is performing an online attack then rate limiting can be extremely effective as you suggest, reducing the number of guesses to perhaps 8,000 a month per user.
If a hacker can steal the password hashes then they don’t have to type anything in to a website and rate limiting does not apply. They can make as many guesses as they like at the fastest speed they can manage.
I cover this in more depth in the article “Do we really need strong passwords?”.
I’ve seen apps vanish or become unusable when the developer orphans them (Why spend $200 + on some apps that may do that?) I don’t trust anything I need to one source or sometimes two. My photos are stored in 3 separate locations, my passwords in 2. One location is encoded in a way I’ve not heard anyone else do and strength checkers that explain why (a facsimile) is weak or strong rates them highly.
I’ve used Donald Watson’s technique of using the first letter of each word, adding numbers, etc and it was pointless as a means to remember.
Make sure to check out the entire range of special characters since there may be more than expected.
Redundancy though. It provides me some peace of mind.
when I was explaining this to staff during Inductions etc. I would talk about two types of attack on their password, and we’ve seen them all in the movies, Brute force, where Bruce Willis plugs a gizmo into the computer he is trying to hack and you see it trying all the possible passwords and social knowledge where Bruce Willis looks around the desk that the computer is on and then types in the name of the owners dog which is handily visible on a picture on their desk. whilst these are not brilliantly accurate examples of how attackers carry out these techniques it allows a dialogue from where you can expand your explanation. Because people are familiar with seeing these on TV it makes it more real to them, or at least helps get the message across.
Lee does not provide any evidence for this sentence: “1. if your password consists of any word(s) in the dictionary, reguardless of case, number of words, forwards or backwards; then it is unsecure and can be ‘cracked’ within 1 second.”
A password made of 4 unrelated English words, all lowercase, is still one in tens of million of millions and cannot be guessed within 1 sec without specialized hardware.
“Lee does not provide any evidence for this sentence: “1. if your password consists of any word(s) in the dictionary, reguardless of case, number of words, forwards or backwards; then it is unsecure and can be ‘cracked’ within 1 second.”
A password made of 4 unrelated English words, all lowercase, is still one in tens of million of millions and cannot be guessed within 1 sec without specialized hardware.”
He is referring to the case where skilled hackers, working either for a government agency or a well-organized criminal enterprise gets a hold of the database of password hashes, after which cracking can begin at leisure. Given that these are professionals who do this for a living, either on salary or in exchange for a cut of the ill-gotten gains, they will have specialized software and hardware. Think Chinese military or Russian gang-financed hacker.
A strong password works to preserve your privacy because of a kind of triage. If your password hash can’t be cracked within a certain number of tries, the program presumably moves on to the next hash, rather than spend the next couple years working on yours. A strong password works for the person who uses it in the same way that a steering wheel lock convinces a car thief to move on to a softer target – a vehicle without such a lock.
And this is exactly why I have doubts about some of the theories here.
As someone who has worked closely with people specialized in things like this, I have seen a point at which it is no longer feasible or cost-effective to hack passwords. At that point, especially for groups with resources like you mention, it is much more effective to hack the actual system, so they can bypass security altogether. Hacking one person’s password will get you access to that person’s data. But bypassing security altogether will get you access anywhere. So, all the time we spend on making secure passwords, should not take our attention away from creating any actual security.
Take your home for example. One could spend hundreds (if not thousands) of dollars outfitting your front door with multiple locks, specialized security keys and locks, maybe even biometric security and so on and so forth. At that point, any burglar will understand it is just that much easier to just break the window next to it, bypassing your front door security. Not a completely 100% accurate comparison, but you get the idea.
A better example might be the scene from RED, in which Bruce Willis (yeah, him again) and Mary-Louise Parker stand in front of the CIA secure records depository and she asks him if he can open it. Upon which he answers “It can be hacked, it resets every six hours” (or something similar, it’s been a bit since I saw it). He subsequently proceeds to kick in the wall next to it to open the lock from there.
The point at which password crackers stop bothering is called the saturation threshold (Microsoft Research reckon that it’s reached – very roughly – when about 10% of passwords in a system have been cracked). After that it’s just not worth bothering to crack any more, either because the costs outweigh the rewards or because you’ve got enough access across the passwords you’ve cracked to compromise an entire network.
Your job as a user is to choose a password that is above the saturation threshold. Unfortunately you don’t know anything about the other passwords and cannot judge where the saturation point is for a given system. Your only rational choice is to pick a password that is likely to remain unguessed for a very long time against a determined and very well equipped adversary (for more on this see “Do we really need strong passwords?” https://nakedsecurity.sophos.com/2014/10/24/do-we-really-need-strong-passwords/)
Your job as a sysadmin protecting a system is to focus on strengthening the passwords below the saturation point for your system. For more on this, see “Stop wasting time making the wrong passwords stronger” https://nakedsecurity.sophos.com/2016/11/23/stop-wasting-time-making-the-wrong-passwords-stronger/
We recently had a meeting with some security people regarding our NEN7510/ISO27001 status, at which point an interesting point was made.
The biggest problem with enforcing stronger and more difficult passwords is the people who have to use them. When the passwords become to difficult for people to just remember them. They create workarounds, potentially creating even bigger security hazards. And the eternal battle for security continues.
It depends on what you enforce, no?
Password research, and the advice that flows from it, has turned a corner in the last few years. There is a lot of old advice out there that seems like it ought to work which fails in the real world because, as you say, it actually pushes people into workarounds that weaken security.
It’s why NIST and other bodies have stopped suggesting you force users to update passwords on an arbitrary schedule (https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/).
Probably the most useful thing you can do to stop people choosing bad passwords is to simply block known bad passwords. You can protect yourself from bad passwords that slip through that check, and from the threat of password reuse, by blocking access after a few failed login attempts and adopting 2FA.
This is all very interesting information, I think I’m going to share this at work, if you don’t mind.
In the Netherlands, there is an organisation called Nictiz, which is often referred to for saecurity issues like this. However, I personally don’t agree with some of their guidelines. Their definition of 2FA for example is “2FA consists of one thing you know, and one thing you have”. By their definition, having a password and a personal ssl certificate is adequate security. However, since we deal with healthcare organisations, most of our users are going to be on the road or at home with patients. The risk of their hardware getting lost or stolen is quite high. This makes the second step in 2FA, having a personal certificate, almost completely ineffective, since any thief will now also have that certificate.
Well, the thing there is — why bother remembering them? Anything that can be remembered by default is weak. Because human memory simply is that… weak, by comparison anyhow. Best way still is to use a standalone password manager (so no MITM or otherwise is possible) and to rely on random passwords generated by the manager.
Yes, that still leaves the question of malware intrusion on the system the manager is run from but, honestly, if there’s the risk of that, password generation is the least of the security concerns to be worried about.
Well, your option does rule out certain options of intrusion mentioned above, so there’s that. Provided the password manager is sufficiently secure…
Do I have a good password then? My password is very random, I came up with it at the top of my head, and it had no words, it’s random numbers, symbols, and letters mixed together.
post it here and we’ll tell you
I use a native american language dictionary for the word or words I use. plus random numbers followed by random special characters. I change passwords regularly and never use the same one twice. it seems to keep me safe from the prying eyes of hackers. I’ve never heard of hackers using the 1800 or so native american language dictonarys. thats why WW2 code talkers were so successful.
Obscurity is a lousy security mechanism. If you thought of it using rare language dictionaries, assume the hackers have too. It cost little or nothing to add an Inuit dictionary to the hacking database.
Another problem with using a language you don’t understand (or a glossary of phrases that mean nothing to you) is that you have no obvious way of judging how suitable or rare your choice might be.
For example, to an American, a pair of words like “Stamford Bridge” might seem equal in rarity to “Surbiton Tunnel,” or “Old Trafford” might seem equal to “New Malden,” but a quick experiment with a search engine will reveal otherwise.
Gentlemen, I believe you missed the part of Mark Mcduffee’s comment that clearly stated that he includes random numb3rs & symbo!s in his passwords , thereby creating a stronger password. He also stated that he changes it often & never uses the same one twice. Seems to be a more secure system of choosing a password than most.
Juanita, what is your definition of random? From your example, it doesn’t seem likely to be valid.
What about 3-factor ID SW like Symantec’s offering to various companies?? Doesn’t that multiply the magnitude of the effort — even if your Password is hacked??? HeLLO???
regardless does not contain the letter ‘U’, hence a good password option
So what if you have some random nonsense (well, not totally random, but some nonsense for a source well known and loved, but not like a novel, movie but rather a technical source of limited interest (like the part number of some car or remote control toy or something), split by a repeated figure, with a couple of symbols and upper and lower case characters thrown in for good measure and it’s 20 – 25 figures in total?
How’s that for a password?
I agree with this. I tell my friends and clients to apply leeting of O=0 but use a mix of two lines from favourite films/songs/bands/albums eg. “We the people” and “In the air tonight” would be W3th3p30p13!nth3@!rt0n!ght. Easy to remember… bugger to crack
The main reason I wouldn’t trust online password meter is that they make the perfect honeypot for people collecting passwords for the dictionaries.
2 — Use it as an indicator. So, generate a dummy password that follows the guidelines of whatever password you wish to check and simply check that dummy password, to get an idea of how strong the actual password would be.
This article came out last month, titled “They Guy Who Invented Those Annoying Password Rules Now Regrets Wasting Your Time”: [link removed]
Apparently NIST just came out with new guidance to replace the 2003 guidance everyone is using these days (which requires mixed upper/lowercase, numbers, special characters). The new guidance advises against requiring different character classes, and recommends simply to use longer passwords.
Indeed. You can find a summary of NIST’s guidelines here: https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/
…and our write up of Bill Burr’s regrets here:
The problem is that you’re using weak (semi-)random passwords to check password strength indicators that are just doing it wrong. You can trust them and random passwords if you just do it correctly.
Having coded a password manager myself I can pretty much guarantee you one thing over any and all other things — the longer, the better. Forget silly rules or tricks, just go wide. And do not use any services that do not support going wide. The point is, the wider your password generation rules, the larger the set of possible passwords becomes and the longer it would take to crack it. To which end perfectly random (without any rules to avoid double characters or w/e) passwords that are as long as is allowed simply is the best.
how does a password cracker know when it has cracked the password?
Generally speaking, crooks who are trying to crack passwords have access to a list of hashed passwords stolen from a service provider:
The list of hashes is the very same database that the service uses to verify that a user supplied the right password (they store the hashes to avoid storing the raw password, which wouldn’t need cracking at all).
So the crooks try password after password against the hashed password for your account, just as the service provider would when you logged in, until they find a password that matches your hash.
Typically, they can’t crack passwords online because there will be some kind of rate limit imposed, precisely to stop anyone guessing too fast and often. But if you have a copy of the password database offline, then you get to set your own rate limit – i.e. none. You just keep guessing as fast as you can until you hit the jackpot (or give up).
Sometimes, a service doesn’t limit online guesses properly, so crooks can try passwords at high speed online. In that case (say, a web login portal) they can tell they’ve cracked the password by monitoring the reply sent by the server. When the “login error” message goes away and “welcome to XYZ” appears instead, they know they’ve done it…
Here is a good way to make a memorable password that is hard to guess and you will rarely find in a database. Choose a set of words that are meaningful to you at the time. Take the initial letter of each word. Choose one or more to be capital and the remaining lower case; making sure to always have a mix of both. Now, in between each letter put at least one number and one special character. Make sure you have a minimum of three words and you will meet the minimum character requirements of most sites.
If you have to have a password greater that nine characters, simply add more initials of words or more numbers and special characters. Just make sure these are memory association related items.
I have several passwords using this technique that are greater than twelve characters and I have no issues in remembering them.
Here is a slightly broader set of ideas, with some visuals to show you how you can do it: