Why you can’t trust password strength generators

Angus Kidman 18 August 2016

StrengthTesting_Shutterstock

If a site tells you that a password is "very strong", be wary.

If you've been online longer than a week, you'll have run into a password strength generator. You go to sign up to some sexy new online service, and you have to provide a password. As you type in one of your usual suspects, the strength meter changes colour, and tells you your password is weak, OK or very strong. Problem solved, right?

Not so fast. The key lesson here: you shouldn't be picking your own password in the first place. By far the best way to keep your information secure is to use a different randomly-generated password for every single service you sign up for, and to use a password manager to remember it. That way, if a single service does get hacked and your information leaks, that password can't be used anywhere else. There are plenty of solid password managers to choose from, and if you've taken the sensible step of installing antivirus software on your devices, it may well include a built-in option you can use. It's even better if the service includes two-factor authentication, so you can only sign in on a new device after being sent a unique one-time code (typically as an SMS)/

With that said, what's the issue with password strength generators? It's true that they will stop you from picking stupidly common passwords like "123456" or "iloveyou", and they'll make sure your password meets some minimum requirements (such as including numbers, letters and punctuation). However, testing shows that these generators actually don't do a great job of assessing password strength.

Security software developer Sophos Labs recently carried out an intriguing experiment to demonstrate this. Sophos chose five of the most commonly used password strength generators (which are freely available code that developers can add to their sites for no charge). Researchers then selected five passwords from a list of the 10,000 most common passwords. Any cracker would make use of these kinds of lists when trying to break into a service. The five chosen were:

  • abc123
  • trustno1
  • ncc1701
  • iloveyou!
  • primetime21

Despite mixing letters, numbers and (in one case) punctuation, these aren't strong passwords by any measure. More importantly, the fact that they're on a list of common passwords means they should be rejected by any reasonable strength checker. Yet when run through the selected strength generators, the majority ranked them as "weak", "medium" or "good". A good strength generator would rate them all as "very weak" at best.

Sophos' recommendation is that if you must include a strength generator on your site, use ZXCVBN, which isn't as popular as most of the choices it tested but does a much better job. For consumers, though, the lesson is simpler: don't trust password strength generators, trust a password manager.

Angus Kidman's Findings column looks at new developments and research that help you save money, make wise decisions and enjoy your life more. It appears Monday through Friday on finder.com.au.

Latest news headlines

Picture: Shutterstock

Get more from finder

Ask an Expert

You are about to post a question on finder.com.au:

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Finder only provides general advice and factual information, so consider your own circumstances, read the PDS or seek advice before you decide to act on our content. By submitting a question, you're accepting our Terms and Conditions and Privacy Policy.

One Response

  1. Default Gravatar
    T.DoomAugust 18, 2016

    “use a different randomly-generated password for every single service you sign up for, and to use a password manager to remember it”

    right, so what about the times when you need to access that website but you’re not on your own device and hence no access to the password manager?

    how do you keep the password to the password manager? get another password manager? single point of failure? weakest link?

Ask a question