Web Form Password Strength Meters Are Useless

I recently had a client ask me to build them a password strength meter for an account signup form. Thinking that this was a good idea, I set out to do some research to see what has been done on this topic and start coding. I quickly stopped when I realized what a pointless exercise this was going be.

Who Determines What Makes a Good Password?

Google, and countless other web sites, expound on how having strong passwords are a good way to prevent someone from hacking anything that you protect with a password. The problem is, who determines what constitutes a strong password? For example, according to Microsoft, “A strong password should appear to be a random string of characters to an attacker. It should be 14 characters or longer, (eight characters or longer at a minimum). It should include a combination of uppercase and lowercase letters, numbers, and symbols.” While Google says that good passwords should, “include punctuation marks and/or numbers, mix capital and lowercase letters, include similar looking substitutions, such as the number zero for the letter ‘O’ or ‘$’ for the letter ‘S’, create a unique acronym, and include phonetic replacements, such as ‘Luv 2 Laf’ for ‘Love to Laugh’.” (note that Google also says “Don’t use a password that is listed as an example of how to pick a good password”).

What authority or group says that any password is good enough? There are none! There is no group that is accepted to approve a standard strong password in the same way that say the W3C approves web standards. The general school of thought on secure passwords is to make them so nonsensical that they can’t be guessed or hacked using things like dictionary attacks and rainbow tables. There are no official certifications or rules that determine that a password is strong because no one can guarantee that any password is safe. No matter how many characters you use, whether you use upper and lower case, and special characters, a password is just a string of text that can be recreated by a machine or human.

Password Strength Meters – A False Sense of Security

meterAny password strength meter you see on the web relies on a set of basic rules to tell you how many of these rules what you have typed in match. The more rules you match, the stronger your password is supposed to be. But this is a lie. This is merely a way to give you a warm, fuzzy feeling that the jumbled mess you’d see if you ripped all the keys on your keyboard off and threw them on the floor is a good password, when really the problem lies in the system that checks passwords.

Protect the User, Punish the Abuser

While it’s obvious that using common passwords, basic words, personal information, and other easily guessable data for password should never be done, we also shouldn’t force users to jump through hoops to create difficult to concoct and impossible to remember passwords. When you make users create bizarre strings of text to remember, they won’t, so they either end up writing them down or using an application that stores all these complex passwords in one spot – which is protected with another password (better hope that one’s a goodie since if it gets hacked then all your others are kaput!).

So what to do? Instead of enforcing a set of rules for password complexity, make the system smarter. Computers excel at running through enormous amounts of data to try and brute force their way into password protected systems. So why do we let them try? Why do developers and designers create password protected systems where a user or computer can repeatedly and endlessly enter passwords? Any system that allows a password to be entered repeatedly and incorrectly without having the account disabled or flagged is vulnerable. This type of system merely delays the inevitable. The solution is nothing earth shattering but it does rely on common sense — password protected systems should disable a user’s account after a certain number of failed login attempts. Enter the wrong password a fourth time and whammo, you can’t even try a fifth time. Imagine a popular club where you need to give the bouncer a password to enter. Do you think that he’ll stand there and let you guess different passwords all night, or is he going to throw you out after you failed three times? You could also develop a system to unlock a disabled account after a period of time automatically so further attempts could be made. While you’re at it, why not send an email alert to an administrator with information about the disabled account.

The Bottom Line

While no one has thought up an easy to use system better than passwords which will protect information, password strength meters are simply a waste of time and just AJAX eye candy. Instead of giving users feedback on how many arbitrary rules the text they enter for a password meets, modify the login system to prevent repeated logins.

Getting back to my client that asked for the meter in the first place, they’re quite happy without one, and even happier that their login form disables accounts after too many unsuccessful login attempts.

6 thoughts on “Web Form Password Strength Meters Are Useless”

  1. People do forget passwords, and when they do they will try to remember it by entering different combination of their password both 3 and 5 times. Therefore I think your suggestion is onto something, but I would not make it as advanced as you suggest. I think it’s better to keep it simple. Google and Hotmail are great examples on this. They don’t disable a user’s account after a certain number of failed login attempts, instead – after a certain number of failed login attempts- you’ll have to solve a captcha for every new attempt.

    Good article though :)

  2. But I believe that therein lies the flaw with both your Google and Hotmail examples, both of which have been hacked despite the CAPTCHAS. CAPTCHAS are great for separating people from machines, but it doesn’t prevent someone from sitting down and attempting to hack their way into a system. By locking an account after X failed attempts, and then requiring some other form of authentication, you’re making it far more difficult for someone to hack their way in as opposed to throwing up the CAPTCHA barrier which may simply slow them down. I, general I agree with you in terms of keeping things simple, but by doing so in terms of account security I think we need to make the hurdles a bit higher.

  3. You can’t just disable accounts; that opens a laughably simple DoS. Just write a script to repeatedly try to log into the account of someone you don’t like, and it will stay disabled forever. This has actually happened to banks before.

    What happens when the CAPTCHA is broken, as it has been before?

    What happens if the server is broken into and someone gets ahold of all the password hashes? I’d sure like my password to be harder to crack.

  4. @Eevee
    Any server admin knows the difference between a DoS attack, a legitimate user entering their password incorrectly, and a scripted attempt to login to someone else’s account. Setting up a job to monitor that is what I was referring to. And my point is not to stop people from coming up with strong passwords, just the opposite. I’m against the false sense of security that password meters imply.

  5. Who exactly do you think is going to encourage good password practices, if not the applications requesting the passwords? I’ve had several leaked password lists land on my desk in the past few years, and you would not believe how many worthless passwords there are out there. I’m looking at such a list right now, and I see winners like ‘ferret’, ‘cosmos’, ‘polo’, ‘bullet’, and yes, ‘password’.

    If the constraints are bad, then fine, complain about that. There are tons of braindead password rules floating around, and having a strength meter or not doesn’t do anything to change that. But I hardly see a problem with a little password meter that, at the very least, prevents people from using bare dictionary words as passwords. It’s not a false sense of security; it does in fact increase security. Servers do get broken into sometimes. Your clever monitoring applet will be wrong sometimes. (Not sure how you intend to differentiate between a user who’s forgotten his password and someone deliberately keeping an account locked, btw.) A good password will help protect against these things.

  6. Eevee I think you’re missing the argument here. He’s not arguing against strong passwords, but rather the false sense of security that password strength meters are implying. A developer can require any type of complexity in a password, and they should, however who is to say what qualifies as secure? These meters that pop up are just at the whim of whoever designed it and meet no criteria. The side argument is that too many systems allow incorrect password to be entered infinitely, or at least enough to allow them to be cracked, rather than either asking for some form of authentication, or disabling the account. Cheers.

Leave a Reply

Your email address will not be published. Required fields are marked *