Cloud // Cloud Storage
News
5/20/2013
10:41 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

How Password Strength Meters Can Improve Security

Color-coded password-strength meters nudge users to improve the strength of their important passwords, but have little effect on unimportant ones, researchers say.

10 Top Password Managers
10 Top Password Managers
(click image for slideshow)
Want your site's users to build better passwords? Then provide "password strength" meters to show if a proposed password carries a low (red), medium (yellow) or high (green) level of security.

According to the first-ever study of password meters' effectiveness -- delivered this month at the CHI human-computer interaction conference in Paris -- such meters aren't just window dressing or empty security theater. Meters result in stronger passwords when users are forced to change existing passwords on "important" accounts, according to the "Does My Password Go up to Eleven?" research study from researchers at the University of California at Berkeley, University of British Columbia and Microsoft Research. In addition, they found that graphical design variations between different types of meters "likely have a marginal impact" on user adoption.

The usefulness of password meters wasn't a given; no previous research had explored whether they led people to pick stronger passwords. "The original purpose of the experiment was to see whether meters based on social pressure would yield an improvement, since we didn't expect existing meters to be effective," said primary report author and University of California at Berkeley research scientist Serge Egelman via email. "We were surprised that one, meter design doesn't appear to matter much, and two, meters do work under certain circumstances."

[ Honeywords, or fake passwords, could help businesses better detect breach attempts. Read more at Sweet Password Security Strategy: Honeywords. ]

As emphasized by the report title's "This Is Spinal Tap" film reference, when it comes to passwords, more (entropy) equals more (security). That's why standard password security advice -- at least currently -- is to pick a password that has at least 12 characters, mixing letters, numbers and symbols. Whatever the rules, however, password meters provide simple and immediate visual feedback about what constitutes "strong enough."

The researchers' conclusions are based on comparing forced password resets in the presence of password meters to those without such meters. "We performed a laboratory experiment to examine whether these meters influenced users' password selections when they were forced to change their real passwords," the researchers explained. "We observed that the presence of meters yielded significantly stronger passwords."

They also found that the meters didn't seem to cause memorability problems for users, and suggested that people forgetting passwords was more related to forced expiration dates, which not all cryptography experts see as always necessary.

The researchers' password-meter findings, however, come with a caveat. In a second study they conducted, users were asked to create a password for an unimportant account. "In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts," they said.

Egelman said that although password meters are effective when used for important passwords, perhaps they shouldn't be used at all for unimportant passwords. "People have a finite amount of memory, which shouldn't be wasted protecting resources that are unimportant -- e.g., low-value accounts. I think the bigger problem is that most passwords are highly susceptible to offline attacks," he said. "Whereas when users do not select popular passwords -- e.g., [in] the top 100/1,000/10,000 -- online attacks are relatively unsuccessful. This suggests that a much more efficient solution is to prevent offline attacks from occurring."

Using proper network security controls and strong cryptography to secure passwords so that they can't be retrieved by hackers and decrypted offline, however, has nothing to do with password-strength meters. "This responsibility lies solely with the websites who store the passwords, not the users," Egelman said.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Google in the Enterprise Survey
Google in the Enterprise Survey
There's no doubt Google has made headway into businesses: Just 28 percent discourage or ban use of its productivity ­products, and 69 percent cite Google Apps' good or excellent ­mobility. But progress could still stall: 59 percent of nonusers ­distrust the security of Google's cloud. Its data privacy is an open question, and 37 percent worry about integration.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Elite 100 - 2014
Our InformationWeek Elite 100 issue -- our 26th ranking of technology innovators -- shines a spotlight on businesses that are succeeding because of their digital strategies. We take a close at look at the top five companies in this year's ranking and the eight winners of our Business Innovation awards, and offer 20 great ideas that you can use in your company. We also provide a ranked list of our Elite 100 innovators.
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.