According to the first-ever study of password meters' effectiveness -- delivered this month at the CHI human-computer interaction conference in Paris -- such meters aren't just window dressing or empty security theater. Meters result in stronger passwords when users are forced to change existing passwords on "important" accounts, according to the "Does My Password Go up to Eleven?" research study from researchers at the University of California at Berkeley, University of British Columbia and Microsoft Research. In addition, they found that graphical design variations between different types of meters "likely have a marginal impact" on user adoption.
The usefulness of password meters wasn't a given; no previous research had explored whether they led people to pick stronger passwords. "The original purpose of the experiment was to see whether meters based on social pressure would yield an improvement, since we didn't expect existing meters to be effective," said primary report author and University of California at Berkeley research scientist Serge Egelman via email. "We were surprised that one, meter design doesn't appear to matter much, and two, meters do work under certain circumstances."
[ Honeywords, or fake passwords, could help businesses better detect breach attempts. Read more at Sweet Password Security Strategy: Honeywords. ]
As emphasized by the report title's "This Is Spinal Tap" film reference, when it comes to passwords, more (entropy) equals more (security). That's why standard password security advice -- at least currently -- is to pick a password that has at least 12 characters, mixing letters, numbers and symbols. Whatever the rules, however, password meters provide simple and immediate visual feedback about what constitutes "strong enough."
The researchers' conclusions are based on comparing forced password resets in the presence of password meters to those without such meters. "We performed a laboratory experiment to examine whether these meters influenced users' password selections when they were forced to change their real passwords," the researchers explained. "We observed that the presence of meters yielded significantly stronger passwords."
They also found that the meters didn't seem to cause memorability problems for users, and suggested that people forgetting passwords was more related to forced expiration dates, which not all cryptography experts see as always necessary.
The researchers' password-meter findings, however, come with a caveat. In a second study they conducted, users were asked to create a password for an unimportant account. "In this scenario, we found that the meters made no observable difference: participants simply reused weak passwords that they used to protect similar low-risk accounts," they said.
Egelman said that although password meters are effective when used for important passwords, perhaps they shouldn't be used at all for unimportant passwords. "People have a finite amount of memory, which shouldn't be wasted protecting resources that are unimportant -- e.g., low-value accounts. I think the bigger problem is that most passwords are highly susceptible to offline attacks," he said. "Whereas when users do not select popular passwords -- e.g., [in] the top 100/1,000/10,000 -- online attacks are relatively unsuccessful. This suggests that a much more efficient solution is to prevent offline attacks from occurring."
Using proper network security controls and strong cryptography to secure passwords so that they can't be retrieved by hackers and decrypted offline, however, has nothing to do with password-strength meters. "This responsibility lies solely with the websites who store the passwords, not the users," Egelman said.
People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)