I’ve spent a depressingly large proportion of the last few years writing about the fact that so few people recognize that they’re using poor password and PIN selection strategies. This is unsurprising, perhaps. After all, this issue is not just technological, but psychological and even ergonomic. If you’re not confident of your ability to create a sound password, you might use a password strength meter like Microsoft’s. I can’t vouch for how good it is, but a lot of people seem to find it helpful to have some guidance.

However, an article by Mark Stockley for Sophos suggests that a poor meter may be worse than useless. He took five of the 10,000 most common passwords, according to xato.net, all of which the cracking software John The Ripper cracked more or less instantly, and then ran them against five plug-in strength meters. One meter categorized all five as good, another classified two of them as good. Ten were classified as weak by various meters, six as medium, and two as ‘norm’ (normal, presumably).

Stockley’s contention is that:

A password strength meter that doesn’t reject all five out of hand is not up to the job of measuring password strength.

They all failed. And not only that, they don’t agree.

Well, I won’t disagree: the results are inconsistent between meters and the classifications are misleading, unless you believe that ‘iloveyou!’ or even ‘abc123’ are good passwords. Why did they fail so spectacularly? The answer lies in the fact that the harshest categorization is ‘weak’.

There are a number of characteristics you can use to assess the strength and entropy (randomness or unpredictability) of a password or, preferably, passphrase, such as:

Number of characters

Variety of characters – a very long password consisting of the same repeated character is not resistant to password cracking software

The types of character used: alphabetical, numeric, symbols and special characters, and where they’re placed in relation to the other characters. (To take a simple example, when people append a number to their password which is augmented every time they’re required to change it, that offers no effective barrier to password-cracking software.)

Case sensitivity

Use of dictionary words

Use of character substitutions (such as 0 for ‘o’, or 4 for ‘a’)

There are any number of algorithms that might be used to assess the effectiveness of a given string used as a passphrase. Obviously, some are better than others and you have to expect some variation in categorization. I tried the same passwords against the Microsoft checker, which wasn’t one of those tested by Stockley. Here are the categories assigned by the checker. The number in the first column represents their ranking in the list of 10,000 most common passwords at xato.net.

Ranking Passphrase Category 14 abc123 weak 29 trustno1 medium 158 ncc1701 weak 8778 iloveyou! medium 8280 primetime21 medium

Clearly, there isn’t a separate category for ‘Don’t use this password because an awful lot of other people already do so hackers will find it quickly’. And the fact that trustno1, confirmed by at least one other list to be far more common than ncc1701, is categorized as medium, suggests that ranking (or appearing at all) on such lists is not one of the categorization criteria applied by the Microsoft meter or, apparently, any of the five tested by Stockley.

That’s not to say that the lists are only used by password crackers. At one time, Twitter used a script to check passwords created by its users against a list of strings: if someone tried to set a password that was found on the list, it would not be allowed. And yes, abc123, trustno1, and ncc1701 could be found there (the list was very trivially obfuscated). iloveyou! wasn’t included, though iloveyou was. Nor was primetime21 or anything close to it.

So how do these meters reach their conclusions? Well, one of them considered all five of those passwords ‘good’, so maybe it doesn’t have any negative criteria. All the others considered abc123 weak, even though it consists of a mix of letters and numbers, perhaps because it features two strictly serial sequences (abc and 123).

Perhaps ncc1701 fares better according to some meters because it doesn’t include a dictionary word (though it is, of course, the instantly recognizable number of the Starship Enterprise, which is why so many people use it). iloveyou! probably gains favor because strength meters like passwords that include punctuation characters.