What are your thoughts on introducing password-strength meters into enterprise settings? I've read mixed conclusions concerning their effectiveness. How could a company go about introducing them?
Ask the expert
SearchSecurity expert Michael Cobb is standing by to answer your questions about enterprise application security and platform security. Submit your question via email. (All questions are anonymous.)
We've all seen it when setting up a new account or changing passwords -- that small meter that indicates how strong a proposed password is considered to be. But how useful is a meter? Do they really result in users choosing stronger passwords or are they just a distraction and ignored?
According to researchers at the University of California at Berkeley, University of British Columbia, and Microsoft Research, meters grading the strength of passwords certainly can result in stronger passwords -- in certain circumstances.
Password meters give simple and immediate visual feedback for what constitutes a strong password. According to the research, the presence of meters resulted in stronger passwords when users were forced to change existing passwords on important accounts, such as online bank and financial service accounts. Passwords generated with the help of meters increased from a median of nine characters to 10, included more special characters and contained more lower-case letters, up from a median of six characters to seven. Peer-pressure motivator meters -- the ones that show how strong a password is compared to others on the same system -- proved slightly more persuasive than those that just rated a password as weak, medium or strong.
The research concluded that users who saw no meter at all chose passwords that on average were 49.3 bits strong. This increased to 60.8 bits when a basic meter was shown, and 64.9 bits for peer-pressure motivator meters.
Interestingly, the researchers also found that these new, stronger passwords weren't harder for users to remember than weaker ones. However, when users were creating a password for an unimportant account (such as fan sites) or setting up a new account, the meters made no observable difference; many users tended to simply reuse weak passwords to protect similar low-risk accounts. There also appears to be a limit as to how strong a password a user can be encouraged to choose. And if meters are too stringent about a password's strength, more often than not users will become frustrated and give up trying to increase their score.
Password-strength meters based on length, complexity and unpredictability measure the effectiveness of a password in resisting both guessing and brute-force attacks. The first factor is determined by how long the password is, complexity is based on how large a set of characters or symbols it is drawn from, and unpredictability is based on whether the password is created randomly or by a more predictable process.
If used correctly, a password meter helps the user choose more crack-resistant passwords, and length is a more effective requirement for producing strong passwords than the use of numerals and special characters. Those that ban or penalize commonly used words provide even better guidance.
There are plenty of open source password meters available that can be added to internal and external Web applications. They are definitely worth adding if site registration is required and the site processes more than just basic personal information. To boost user acceptance, it is critical to provide an explanation as to why a strong password is needed and instructions on what makes it strong. This also helps encourage users to create a stronger password even when creating a new account.
This was first published in October 2013