When you make a new account for any sort of web site or service, there’s usually a helpful-looking meter to tell how strong the password you came up with is. Don’t listen to those meters.




As time goes on, password cracking tools get better, authentication standards improve to compete with crackers, and best password practices adapt. But according to Mark Stockley at Naked Security, password strength meters have pretty much stayed the same. Last March, Stockley tested five popular password strength meters and they all failed. Now, over a year later, they still failed his simple experiments. For his tests, Stockley picked five passwords from the list of the 10,000 most common passwords:

abc123 – number 14 on the list, first to mix letters and numbers



– number 14 on the list, first to mix letters and numbers trustno1 – number 29, second to mix letters and numbers



– number 29, second to mix letters and numbers ncc1701 – number 158, registration number of the USS Enterprise



– number 158, registration number of the USS Enterprise iloveyou! – number 8778, first with non-alphanumeric character



– number 8778, first with non-alphanumeric character primetime21 – number 8280, longest with letters and numbers



Then he tested them against five readily available password strength meters: jQuery Password Strength Meter for Twitter Bootstrap, Strength.js, Mato Ilic’s PWStrength, FormGet’s jQuery Password Strength Checker, Paulund’s jQuery password strength demo, and zxcvbn (a sophisticated, open source meter used by Dropbox and WordPress). When it was all said and done, all but zxcvbn failed, and some even declared the passwords above as “Good.” Stockley’s research confirms what you’ve probably been thinking all along: password strength meters don’t actually help you secure your account very well. You’re better off with a decent password manager. You can read more about Stockley’s experiments at the link below.


The Best Password Managers Last week, we asked you to fill us in on your favorite password managers. After combing through… Read more

Why you STILL can’t trust password strength meters | Naked Security