Why you can’t trust password strength generators

Angus Kidman 18 August 2016


If a site tells you that a password is "very strong", be wary.

If you've been online longer than a week, you'll have run into a password strength generator. You go to sign up to some sexy new online service, and you have to provide a password. As you type in one of your usual suspects, the strength meter changes colour, and tells you your password is weak, OK or very strong. Problem solved, right?

Not so fast. The key lesson here: you shouldn't be picking your own password in the first place. By far the best way to keep your information secure is to use a different randomly-generated password for every single service you sign up for, and to use a password manager to remember it. That way, if a single service does get hacked and your information leaks, that password can't be used anywhere else. There are plenty of solid password managers to choose from, and if you've taken the sensible step of installing antivirus software on your devices, it may well include a built-in option you can use. It's even better if the service includes two-factor authentication, so you can only sign in on a new device after being sent a unique one-time code (typically as an SMS)/

With that said, what's the issue with password strength generators? It's true that they will stop you from picking stupidly common passwords like "123456" or "iloveyou", and they'll make sure your password meets some minimum requirements (such as including numbers, letters and punctuation). However, testing shows that these generators actually don't do a great job of assessing password strength.

Security software developer Sophos Labs recently carried out an intriguing experiment to demonstrate this. Sophos chose five of the most commonly used password strength generators (which are freely available code that developers can add to their sites for no charge). Researchers then selected five passwords from a list of the 10,000 most common passwords. Any cracker would make use of these kinds of lists when trying to break into a service. The five chosen were:

  • abc123
  • trustno1
  • ncc1701
  • iloveyou!
  • primetime21

Despite mixing letters, numbers and (in one case) punctuation, these aren't strong passwords by any measure. More importantly, the fact that they're on a list of common passwords means they should be rejected by any reasonable strength checker. Yet when run through the selected strength generators, the majority ranked them as "weak", "medium" or "good". A good strength generator would rate them all as "very weak" at best.

Sophos' recommendation is that if you must include a strength generator on your site, use ZXCVBN, which isn't as popular as most of the choices it tested but does a much better job. For consumers, though, the lesson is simpler: don't trust password strength generators, trust a password manager.

Angus Kidman's Findings column looks at new developments and research that help you save money, make wise decisions and enjoy your life more. It appears Monday through Friday on finder.com.au.

Picture: Shutterstock

Ask a Question

You are about to post a question on finder.com.au

  • Do not enter personal information (eg. surname, phone number, bank details) as your question will be made public
  • finder.com.au is a financial comparison and information service, not a bank or product provider
  • We cannot provide you with personal advice or recommendations
  • Your answer might already be waiting – check previous questions below to see if yours has already been asked

Disclaimer: At finder.com.au we provide factual information and general advice. Before you make any decision about a product read the Product Disclosure Statement and consider your own circumstances to decide whether it is appropriate for you.
Rates and fees mentioned in comments are correct at the time of publication.
By submitting this question you agree to the finder.com.au privacy policy, receive follow up emails related to finder.com.au and to create a user account where further replies to your questions will be sent.

One Response to Why you can’t trust password strength generators

  1. Default Gravatar
    T.Doom | August 18, 2016

    “use a different randomly-generated password for every single service you sign up for, and to use a password manager to remember it”

    right, so what about the times when you need to access that website but you’re not on your own device and hence no access to the password manager?

    how do you keep the password to the password manager? get another password manager? single point of failure? weakest link?

Ask a question