Password strength meters fail to spot easy-to-crack examples:
SOURCE: theguardian.com (ARTICLE DATE: 19th Aug 2016)
The meters that supposedly tell you when you’ve entered enough different characters to make a secure password when signing up for a new site are next to useless, according to a web security consultant...
Mark Stockley, founder of Compound Eye web consultants, said: “The trouble is that most password strength meters don’t actually measure password strength at all. The only good way to measure the strength of a password is to try and crack it – a serious and seriously time consuming business that requires specialist software and expensive hardware.”
Stockley tested five popular password strength meters jQuery Password Strength Meter for Twitter Bootstrap, Strength.js, Mato Ilic’s PWStrength, FormGet’s jQuery Password Strength Checker and Paulund’s jQuery password strength demo.
He used five of the worst passwords possible that appear on a list of the 10,000 most common passwords: abc123, trustno1, ncc1701 (registration number of Star Trek’s USS Enterprise), iloveyou! and primetime21. All five were broken by the open-source password cracking software John the Ripper in under a second.
He also tested what is considered to be one of the best password strength meters, the open-source zxcvbn, which is used by Dropbox and Wordpress, among others.
The five popular password meters failed to successfully spot that all five tested passwords were terrible, while zxcvbn identified them as very weak. Arguably they should all simply tell the users not to use the passwords at all. One even ranked trustno1, iloveyou! and primetime21 as “good”...
[To read the full article please visit the link at the top of page]
SOURCE: theguardian.com (ARTICLE DATE: 19th Aug 2016)
The meters that supposedly tell you when you’ve entered enough different characters to make a secure password when signing up for a new site are next to useless, according to a web security consultant...
Mark Stockley, founder of Compound Eye web consultants, said: “The trouble is that most password strength meters don’t actually measure password strength at all. The only good way to measure the strength of a password is to try and crack it – a serious and seriously time consuming business that requires specialist software and expensive hardware.”
Stockley tested five popular password strength meters jQuery Password Strength Meter for Twitter Bootstrap, Strength.js, Mato Ilic’s PWStrength, FormGet’s jQuery Password Strength Checker and Paulund’s jQuery password strength demo.
He used five of the worst passwords possible that appear on a list of the 10,000 most common passwords: abc123, trustno1, ncc1701 (registration number of Star Trek’s USS Enterprise), iloveyou! and primetime21. All five were broken by the open-source password cracking software John the Ripper in under a second.
He also tested what is considered to be one of the best password strength meters, the open-source zxcvbn, which is used by Dropbox and Wordpress, among others.
The five popular password meters failed to successfully spot that all five tested passwords were terrible, while zxcvbn identified them as very weak. Arguably they should all simply tell the users not to use the passwords at all. One even ranked trustno1, iloveyou! and primetime21 as “good”...
[To read the full article please visit the link at the top of page]
