DELHI: In this digital life passwords have become a norm for protecting our account details. Though it is well known that attackers are able to guess or crack these passwords with various techniques and to fight that various apps want to keep stronger passwords. In fact, most apps today don’t let users move forward till to choose a password that adheres to their security policies via password-strength meters or checkers.
However, the recent study by researchers at Concordia University suggests that these meters do not significantly improve the user’s password quality and thus aren’t really doing much to protect the user’s account from password cracking attacks.
If users have created an account on Google or Amazon or any other popular web-based service recently, they must’ve seen the red / yellow / green bar that rates the new password’s strength. If try different combinations of alphanumeric characters, special symbols and different cases, you will find that these meters let they choose passwords like “Password1+” which is not only a very weak password but also evidence enough to questioning the effectiveness of these so called password meters or checkers. Therefore, researchers Mohammad Mannan and Xavier de Carné de Carnavalet from Concordia University’s Institute for Information Systems Engineering, took up the task of testing the strength of various password meters and exposed that they are indeed very weak.
The researchers’ duo sent millions of passwords through meters used by several popular websites including Google, Dropbox, Twitter, Yahoo! and Skype and found that most of their password systems were based on ad-hoc design and the results were highly inconsistent. The passwords that were considered strong on one site would be called weak on another site’s password meter/checker. So, the team documented several source-available meters; inferred the algorithm behind the closed-source ones; and measured the strength labels assigned to common passwords from several password dictionaries.
In their paper titled ‘A Large-Scale Evaluation of High-Impact Password Strength Meters’, the researchers have shared details of their analysis of how the server-end of some web service meters functions; provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. They believe that their research and findings may help design better meters and even develop an effective tool in the days to come.
To further enforce his point about keeping strong passwords that aren’t easily crackable, Mr. Mannan created an add-on to generate object-based passwords from private images, SelfiePass/ObPwd for Android and Firefox.
