Researchers from the Concordia University debunked the myth of ‘strong password’. Several websites during the sign-up process indicate the strength of your password by using some sophisticated algorithms, however, researchers found that these algorithms sometimes can even call a weak password a strong one.
Generally there are red/green/yellow signs indicating the strengths of your password, asking you to add special characters, capital letters and numbers to make it a good one, however, the definition of good and bad password vary from website to website. Researchers found that for one website a password was weak, whereas for another it was under the normal category.
Authors of the study, which is yet to be published in the journal ACM Transactions on Information and System Security (TISSEC), fired thousands of password through these algorithms to see which passwords are more secure and which are not. Surprisingly, a majority of these mechanisms fail to differentiate between a good and bad password. The passwords that were fed to these meters were just average, however, algorithms at the websites, Dropbox, Google, and Yahoo, put a majority of those in the ‘Strong’ category.
Researchers, Mohammad Mannan, and Xavier de Carne de Carnavalet, said that the results for the same password on different password were very inconsistent. One website was giving it a ‘Good-to-go’ signal and the other one was not accepting it.
“We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another,” says Mannan, assistant professor, Concordia’s Institute for Information Systems Engineering.
To this, another researcher added that these inconsistencies damage the real purpose of the meters. They can easily confuse the user about which passwords are strong and which are not.
“These weaknesses and inconsistencies may confuse users in choosing a stronger password and thus may weaken the purpose of these meters. But on the other hand, our findings may help design better meters and possibly make them an effective tool in the long run,” adds Ph.D. student de Carnavalet.Tags: Password, research, security, Technology