- Reaction score
- 1,678
The meters that supposedly tell you when you’ve entered enough different characters to make a secure password when signing up for a new site are next to useless, according to a web security consultant.
The meters, which often appear as a bar that goes from red to green, rank passwords using traditional measures such as complexity, length and character use, but it turns out most fail to spot easy to guess or predictable passwords. This results in them giving users a false sense of security, or worse, downright terrible advice.
Mark Stockley, founder of Compound Eye web consultants, said: “The trouble is that most password strength meters don’t actually measure password strength at all. The only good way to measure the strength of a password is to try and crack it – a serious and seriously time consuming business that requires specialist software and expensive hardware.”
Instead password strength meters measure entropy – the amount of time or energy needed to crack a password using brute force methods. The longer and more complex the password, the longer it will take to crack by simply iterating through a list of all possible passwords. According to Stockley, however, brute force is a password cracker’s last resort.
“Their first line of attack is likely to be based on dictionary words and rules that mimic the common tricks we use to di5gu!se th3m. Measuring entropy doesn’t tell us anything about that,” Stockley said.
The meters, which often appear as a bar that goes from red to green, rank passwords using traditional measures such as complexity, length and character use, but it turns out most fail to spot easy to guess or predictable passwords. This results in them giving users a false sense of security, or worse, downright terrible advice.
Mark Stockley, founder of Compound Eye web consultants, said: “The trouble is that most password strength meters don’t actually measure password strength at all. The only good way to measure the strength of a password is to try and crack it – a serious and seriously time consuming business that requires specialist software and expensive hardware.”
Instead password strength meters measure entropy – the amount of time or energy needed to crack a password using brute force methods. The longer and more complex the password, the longer it will take to crack by simply iterating through a list of all possible passwords. According to Stockley, however, brute force is a password cracker’s last resort.
“Their first line of attack is likely to be based on dictionary words and rules that mimic the common tricks we use to di5gu!se th3m. Measuring entropy doesn’t tell us anything about that,” Stockley said.
Password strength meters fail to spot easy-to-crack examples
Popular password meters don’t pick up on awful character sequences that are obvious to hackers, giving users a false sense of security and bad advice
www.theguardian.com
Last edited by a moderator: