Comments on: Web Form Password Strength Meters Are Useless

By: kozmonot

kozmonot — Fri, 16 Oct 2009 23:59:07 +0000

Eevee I think you’re missing the argument here. He’s not arguing against strong passwords, but rather the false sense of security that password strength meters are implying. A developer can require any type of complexity in a password, and they should, however who is to say what qualifies as secure? These meters that pop up are just at the whim of whoever designed it and meet no criteria. The side argument is that too many systems allow incorrect password to be entered infinitely, or at least enough to allow them to be cracked, rather than either asking for some form of authentication, or disabling the account. Cheers.

By: Eevee

Eevee — Fri, 16 Oct 2009 20:52:48 +0000

Who exactly do you think is going to encourage good password practices, if not the applications requesting the passwords? I’ve had several leaked password lists land on my desk in the past few years, and you would not believe how many worthless passwords there are out there. I’m looking at such a list right now, and I see winners like ‘ferret’, ‘cosmos’, ‘polo’, ‘bullet’, and yes, ‘password’.

If the constraints are bad, then fine, complain about that. There are tons of braindead password rules floating around, and having a strength meter or not doesn’t do anything to change that. But I hardly see a problem with a little password meter that, at the very least, prevents people from using bare dictionary words as passwords. It’s not a false sense of security; it does in fact increase security. Servers do get broken into sometimes. Your clever monitoring applet will be wrong sometimes. (Not sure how you intend to differentiate between a user who’s forgotten his password and someone deliberately keeping an account locked, btw.) A good password will help protect against these things.

By: admin

admin — Fri, 16 Oct 2009 04:06:12 +0000

@Eevee
Any server admin knows the difference between a DoS attack, a legitimate user entering their password incorrectly, and a scripted attempt to login to someone else’s account. Setting up a job to monitor that is what I was referring to. And my point is not to stop people from coming up with strong passwords, just the opposite. I’m against the false sense of security that password meters imply.

By: Eevee

Eevee — Thu, 15 Oct 2009 17:01:27 +0000

You can’t just disable accounts; that opens a laughably simple DoS. Just write a script to repeatedly try to log into the account of someone you don’t like, and it will stay disabled forever. This has actually happened to banks before.

What happens when the CAPTCHA is broken, as it has been before?

What happens if the server is broken into and someone gets ahold of all the password hashes? I’d sure like my password to be harder to crack.

By: admin

admin — Sat, 19 Sep 2009 18:51:36 +0000

But I believe that therein lies the flaw with both your Google and Hotmail examples, both of which have been hacked despite the CAPTCHAS. CAPTCHAS are great for separating people from machines, but it doesn’t prevent someone from sitting down and attempting to hack their way into a system. By locking an account after X failed attempts, and then requiring some other form of authentication, you’re making it far more difficult for someone to hack their way in as opposed to throwing up the CAPTCHA barrier which may simply slow them down. I, general I agree with you in terms of keeping things simple, but by doing so in terms of account security I think we need to make the hurdles a bit higher.

By: Harald

Harald — Sat, 12 Sep 2009 19:28:00 +0000

People do forget passwords, and when they do they will try to remember it by entering different combination of their password both 3 and 5 times. Therefore I think your suggestion is onto something, but I would not make it as advanced as you suggest. I think it’s better to keep it simple. Google and Hotmail are great examples on this. They don’t disable a user’s account after a certain number of failed login attempts, instead – after a certain number of failed login attempts- you’ll have to solve a captcha for every new attempt.

Good article though :)