Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Don't place too much trust in password strength meters - they might be wrong


  • Please log in to reply
8 replies to this topic

#1 Sintharius

Sintharius

    Bleepin' Sniper


  • Members
  • 5,639 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Netherlands
  • Local time:12:26 AM

Posted 26 March 2015 - 12:47 PM

Does your password pass muster? Not all strength metres are created equal, a Concordia study shows

New research from Concordia exposes the weakness of password strength metres and shows consumers should remain skeptical when the bar turns green.

For the study, forthcoming in the journal ACM Transactions on Information and System Security (TISSEC), researchers Mohammad Mannan and Xavier de Carné de Carnavalet sent millions of not-so-good passwords through metres used by several high-traffic web service providers including Google, Yahoo!, Dropbox, Twitter and Skype. They also tested some of the metres found in password managers, allegedly designed with the relevant expertise.

We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another, says Mannan, who is an assistant professor with Concordias Institute for Information Systems Engineering.



BC AdBot (Login to Remove)

 


m

#2 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:26 PM

Posted 26 March 2015 - 12:51 PM

I'm using passwords between 20-25 characters randomly generated by LastPass. Is that secure enough? :P On the topic, I noticed that a while ago but I've never been bothered by it I guess. It's just giving the users a "false" feeling of security when it comes to their password.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#3 Animal

Animal

    Bleepin' Animinion


  • Site Admin
  • 34,286 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Where You Least Expect Me To Be
  • Local time:03:26 PM

Posted 26 March 2015 - 01:16 PM

This is not surprising to me. After all these 'meters/testers' are coded by humans. Humans are fallible and have differing opinions. What is secure/safe to one person is completely unsecure and or unsafe to another. So why would measurement code be any different? When there is no well known and accepted industry standard of what constitutes a strong, medium, so-so, or weak password. Everyone will code these meters/testers to their own set of standards. And we will continue to perpetuate this cycle of not all security is created equal.

The Internet is so big, so powerful and pointless that for some people it is a complete substitute for life.
Andrew Brown (1938-1994)


A learning experience is one of those things that say, "You know that thing you just did? Don't do that." Douglas Adams (1952-2001)


"Imagination is more important than knowledge. Knowledge is limited. Imagination circles the world." Albert Einstein (1879-1955)


Follow BleepingComputer on: Facebook | Twitter | Google+

#4 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:26 PM

Posted 26 March 2015 - 01:18 PM

I guess it's like Antivirus testing. There's no "set" standard of security for these password meters/testers so as long as there will be none, each of them will have their own interpretation of a password and it's strenght. There's certain aspect of Computing that needs more standardization, and this is one of them.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#5 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:26 PM

Posted 26 March 2015 - 01:24 PM

There are four rules really for a strong password these days:

1. Make it long, this makes it hard for brute force attacks to break.
2. Make sure it isn't a dictionary word, this makes it hard for humans to guess or dictionary attacks to break.
3. Include a few characters which are not letters, a few numbers or a random punctuaton mark.
4. Don't reuse it on other sites or other password protected things.

Edited by rp88, 26 March 2015 - 01:24 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#6 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:26 PM

Posted 26 March 2015 - 01:28 PM

There are four rules really for a strong password these days:

1. Make it long, this makes it hard for brute force attacks to break.
2. Make sure it isn't a dictionary word, this makes it hard for humans to guess or dictionary attacks to break.
3. Include a few characters which are not letters, a few numbers or a random punctuaton mark.
4. Don't reuse it on other sites or other password protected things.


5. Don't only rely on a password to secure an account, use a second way of securing it (like 2FA) if available.

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.


#7 rp88

rp88

  • Members
  • 2,895 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:11:26 PM

Posted 26 March 2015 - 01:54 PM

"5. Don't only rely on a password to secure an account, use a second way of securing it (like 2FA) if available. "


Not advice for a the making of a strong password, but very, very true as advice for security in general. I would agree I wouldn't feel comfortable having only a password protecting ym email account, 2 step verification is very important.

Edited by rp88, 26 March 2015 - 01:55 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#8 livingincebu

livingincebu

  • Members
  • 9 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Cambodia
  • Local time:06:26 AM

Posted 26 March 2015 - 02:46 PM

I use Norton Identity Safe with my Norton Internet Security. On the Identity Safe site, they have a password generator. I usually generate passwords of 20 characters, or more, including symbols where I can. Never had a problem.


Edited by livingincebu, 26 March 2015 - 02:46 PM.


#9 Aura

Aura

    Bleepin' Special Ops


  • Malware Response Team
  • 19,198 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Quebec, Canada
  • Local time:06:26 PM

Posted 27 March 2015 - 12:32 PM

@rp88: It's more to say that it doesn't matter how much "strong" a password is, as soon as it gets in someone's else end, your account will be vulnerable, while having a second way of protecting it, like 2FA can prevent that. It's more to say that even a strong password have it's limit and one shouldn't only rely on it :)

unite_blue.png
Security Administrator | Sysnative Windows Update Senior Analyst | Malware Hunter | @SecurityAura
My timezone UTC-05:00 (East. Coast). If I didn't reply to you within 48 hours, please send me a PM.





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users