Password meters actually work
Posted on 15 May 2013.
Bookmark and Share
Password strength meters work, but only when users are choosing or changing passwords for "important" accounts, a group of researchers has found. They also confirmed that users are no more likely to forget a "strong" password than a "weak" one.

By using two different types of meters and checking their results against those provided by a control group that was not faced with one, they discovered that it doesn't matter what type of meter is used - whether it depends on peer-pressure or on the existing motivation of selecting a password that would be considered "strong", whether it was vertical or horizontal, or whether it used words, graphics or both - so long as it's used.

The testing has been performed both in a laboratory and in the field, and the tested individuals were unaware that passwords were the subject of the experiment so that their actions would not be influenced - the researchers simply added an account creation page to a website being used for another, unrelated study.

"One of our findings is that password meters do not yield much improvement in helping users choose passwords for unimportant accounts, yet they are very commonly deployed in such contexts. Equally, where meters make a difference— password changes for important accounts—they are less often seen. Thus, practice at real sites appears to be very far from what our results dictate. This indicates a real opportunity for improvement," the researchers pointed out.

The report includes more details about the researchers' approach and tentative conclusions about password reuse and other things, and is a really good read that also touches on a (in my opinion) not enough known tendency of people to heed subtle encouragements or nudges - a tendency that should definitely be taken in consideration for creating more secure and user-friendly systems.


Nine patterns make up 92 percent of security incidents

Posted on 23 April 2014.  |  Researchers have found that 92 percent of the 100,000 security incidents analyzed over the past ten years can be traced to nine basic attack patterns that vary from industry to industry.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.


Thu, Apr 24th