New research from Concordia exposes the weakness of password strength metres and shows consumers should remain skeptical when the bar turns green.
For the study, forthcoming in the journal ACM Transactions on Information and System Security (TISSEC), researchers Mohammad Mannan and Xavier de Carné de Carnavalet sent millions of not-so-good passwords through metres used by several high-traffic web service providers including Google, Yahoo!, Dropbox, Twitter and Skype. They also tested some of the metres found in password managers, allegedly designed with the relevant expertise.
We found the outcomes to be highly inconsistent. What was strong on one site would be weak on another, says Mannan, who is an assistant professor with Concordias Institute for Information Systems Engineering.