A study by researchers at Concordia University has found that the meters many websites use to tell you if your password is strong enough aren’t very useful. Part of the problem is that each site uses a different metric of how to assess what is a “strong” or “weak” password. This lack of agreement on password strength can confuse users, since a password might be considered strong at one site, but weak at another.
Researchers tested millions of weak passwords, focusing on high-travel sites like Yahoo!, Google, or Twitter. They found a lot of inconsistency between such programs. Based on these results, they’re afraid that many of these sites aren’t really helping users choose better passwords, but they are confident that this new information could lead to developing better systems for password management. So far though, they’re concerns have fallen on deaf ears: they’ve contacted a number of sites with their research, but most have simply not replied, much less changed the way they assess passwords.
One site does stand out though, Dropbox, which the researchers suggest is a good model moving forward. The password checker is rather simple, and automatically disapproves of any password that contains a word from the dictionary, while many other sites simply require that passwords contain different character sets, like upper- and lower-case letters, which doesn’t guarantee password strength. The Dropbox software forces users to think of other, less common choices, and get away from common phrases that might be easy to guess. The software is also open-source, meaning that developers could easily use it on their own sites.
Until sites begin to develop better password checking software, whether based on the Dropbox model or something else, it’s up to users to create the strongest passwords they can. The researchers suggested that the strongest systems are based on using images, such as pictures taken of the user, but these options are still few and far between.