Security News Most Password Strength Meters are Useless!

Logethica

Logethica

Level 13
Thread author
Verified
Top Poster
Well-known
Jun 24, 2016
636
Password strength meters fail to spot easy-to-crack examples:
SOURCE: theguardian.com (ARTICLE DATE: 19th Aug 2016)

The meters that supposedly tell you when you’ve entered enough different characters to make a secure password when signing up for a new site are next to useless, according to a web security consultant...

4287.jpg


Mark Stockley, founder of Compound Eye web consultants, said: “The trouble is that most password strength meters don’t actually measure password strength at all. The only good way to measure the strength of a password is to try and crack it – a serious and seriously time consuming business that requires specialist software and expensive hardware.”

Stockley tested five popular password strength meters jQuery Password Strength Meter for Twitter Bootstrap, Strength.js, Mato Ilic’s PWStrength, FormGet’s jQuery Password Strength Checker and Paulund’s jQuery password strength demo.

He used five of the worst passwords possible that appear on a list of the 10,000 most common passwords: abc123, trustno1, ncc1701 (registration number of Star Trek’s USS Enterprise), iloveyou! and primetime21. All five were broken by the open-source password cracking software John the Ripper in under a second.

He also tested what is considered to be one of the best password strength meters, the open-source zxcvbn, which is used by Dropbox and Wordpress, among others.

The five popular password meters failed to successfully spot that all five tested passwords were terrible, while zxcvbn identified them as very weak. Arguably they should all simply tell the users not to use the passwords at all. One even ranked trustno1, iloveyou! and primetime21 as “good”...

[To read the full article please visit the link at the top of page]
 
  • Like
Reactions: Terry Ganzi, frogboy, Countryboy_MN and 7 others
A

Aura

Level 20
Verified
Jul 29, 2014
966
Why would you even test your passwords? Simply use a password generator (I use the one from LastPass), generate a random 20-25 characters long password and that's it. The only "memorizable" password I have is the one for LastPass and it's like 20 characters long with caps, numbers, special characters, etc.
 
  • Like
Reactions: frogboy, Countryboy_MN, OokamiCreed and 5 others
O

Omnipotent

Aura said:
Why would you even test your passwords? Simply use a password generator (I use the one from LastPass), generate a random 20-25 characters long password and that's it. The only "memorizable" password I have is the one for LastPass and it's like 20 characters long with caps, numbers, special characters, etc.
Click to expand...
Do you use the same single password generated by LastPass for all of your online accounts, or different generated ones for each account? Since the password being generated is strong and the chances of it being cracked is minuscule wouldn't it be right to use the same strong password for every account, or have different strong passwords for all of your accounts stored in LastPass? I have LastPass installed but to be honest, I've never touched it. Not trying to hack you or anything, just curious.
 
  • Like
Reactions: OokamiCreed, Deleted Member 3a5v73x, DardiM and 2 others
A

Aura

Level 20
Verified
Jul 29, 2014
966
I use a different randomly generated password for each website. I use a mix of 20-25 characters long passwords (depending on how many characters the website can handle). Some of them aren't that long (because of the requirements once again). In total, it took me like 3 hours to change the password of every accounts I own. I was keeping track of it using the LastPass Security Challenge since I wanted a higher score. That's how it started :p
 
  • Like
Reactions: OokamiCreed, Deleted Member 3a5v73x, DardiM and 2 others
DardiM

DardiM

Level 26
Verified
Honorary Member
Top Poster
Malware Hunter
Well-known
May 14, 2016
1,597
Thanks for the share :)

It has already happened that I tried to register on a website where each time I was entering a password to create my account, an error message occurred :

Example :

1) "Avy12@!_zer46^"

=> "not special character plz"

2) "Avy12000zer460"

=> "not number plz"

3) "AvyACftTzerPle"

=> "only 8 chars max"

4) "AcATe"

=>" 5 chars mini plz"

@DardiM : Ok good bye ...

It's a real example (apart the passwords :p ), no clues about what was the min / max and char allowed
 
Last edited:
  • Like
Reactions: frogboy, LASER_oneXM, OokamiCreed and 2 others
NekoHr

NekoHr

Level 3
Verified
Well-known
Feb 5, 2016
139
Or try changing password on Yahoo, it accepts whatever length you write in but than just trim to 32 characters with no info that it did that.

Why is after all this time such a problem to have info on the side explaining what are requirements.
 
  • Like
Reactions: Logethica and DardiM
You must log in or register to reply here.

Similar threads

Gandalf_The_Grey
    • +Reputation
    • Like
    • Thanks
Password strength explained
Replies
5
Views
815
Passwords and passkeys
mlnevese
mlnevese
Gandalf_The_Grey
    • Like
    • +Reputation
    • Thanks
The most hacked passwords list 2023
Replies
2
Views
1,379
News Archive
plat
P
Templar
    • Like
Serious Discussion Passkeys actually useless at this time? Please clarify!!!
Replies
4
Views
487
General Security Discussions
Templar
Templar

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top