I recently had a client ask me to build them a password strength meter for an account signup form. Thinking that this was a good idea, I set out to do some research to see what has been done on this topic and start coding. I quickly stopped when I realized what a pointless exercise this was going be.
Who Determines What Makes a Good Password?
Google, and countless other web sites, expound on how having strong passwords are a good way to prevent someone from hacking anything that you protect with a password. The problem is, who determines what constitutes a strong password? For example, according to Microsoft, “A strong password should appear to be a random string of characters to an attacker. It should be 14 characters or longer, (eight characters or longer at a minimum). It should include a combination of uppercase and lowercase letters, numbers, and symbols.” While Google says that good passwords should, “include punctuation marks and/or numbers, mix capital and lowercase letters, include similar looking substitutions, such as the number zero for the letter ‘O’ or ‘$’ for the letter ‘S’, create a unique acronym, and include phonetic replacements, such as ‘Luv 2 Laf’ for ‘Love to Laugh’.” (note that Google also says “Don’t use a password that is listed as an example of how to pick a good password”).
What authority or group says that any password is good enough? There are none! There is no group that is accepted to approve a standard strong password in the same way that say the W3C approves web standards. The general school of thought on secure passwords is to make them so nonsensical that they can’t be guessed or hacked using things like dictionary attacks and rainbow tables. There are no official certifications or rules that determine that a password is strong because no one can guarantee that any password is safe. No matter how many characters you use, whether you use upper and lower case, and special characters, a password is just a string of text that can be recreated by a machine or human.
Password Strength Meters – A False Sense of Security
Any password strength meter you see on the web relies on a set of basic rules to tell you how many of these rules what you have typed in match. The more rules you match, the stronger your password is supposed to be. But this is a lie. This is merely a way to give you a warm, fuzzy feeling that the jumbled mess you’d see if you ripped all the keys on your keyboard off and threw them on the floor is a good password, when really the problem lies in the system that checks passwords.
Protect the User, Punish the Abuser
While it’s obvious that using common passwords, basic words, personal information, and other easily guessable data for password should never be done, we also shouldn’t force users to jump through hoops to create difficult to concoct and impossible to remember passwords. When you make users create bizarre strings of text to remember, they won’t, so they either end up writing them down or using an application that stores all these complex passwords in one spot – which is protected with another password (better hope that one’s a goodie since if it gets hacked then all your others are kaput!).
So what to do? Instead of enforcing a set of rules for password complexity, make the system smarter. Computers excel at running through enormous amounts of data to try and brute force their way into password protected systems. So why do we let them try? Why do developers and designers create password protected systems where a user or computer can repeatedly and endlessly enter passwords? Any system that allows a password to be entered repeatedly and incorrectly without having the account disabled or flagged is vulnerable. This type of system merely delays the inevitable. The solution is nothing earth shattering but it does rely on common sense — password protected systems should disable a user’s account after a certain number of failed login attempts. Enter the wrong password a fourth time and whammo, you can’t even try a fifth time. Imagine a popular club where you need to give the bouncer a password to enter. Do you think that he’ll stand there and let you guess different passwords all night, or is he going to throw you out after you failed three times? You could also develop a system to unlock a disabled account after a period of time automatically so further attempts could be made. While you’re at it, why not send an email alert to an administrator with information about the disabled account.
The Bottom Line
While no one has thought up an easy to use system better than passwords which will protect information, password strength meters are simply a waste of time and just AJAX eye candy. Instead of giving users feedback on how many arbitrary rules the text they enter for a password meets, modify the login system to prevent repeated logins.
Getting back to my client that asked for the meter in the first place, they’re quite happy without one, and even happier that their login form disables accounts after too many unsuccessful login attempts.