Weak, Easy-to-Remember Passwords a Familiar Crutch for Users

Password strength meters are effective in nudging users to come up with strong passwords for important accounts, but for new account registrations, or for unimportant accounts, users rely on old and often weak passwords.

Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you’ve chosen is weak or strong based on the website’s policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently.

A paper released this week by researchers at the University of Cal Berkeley, University of British Columbia and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they’re creating passwords for sensitive accounts and  for unimportant accounts.

The long and the short of it: It depends.

Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.

“I didn’t expect them to have any effect,” said Serge Egelman, a UC Berkeley researcher, in an interview with Threatpost. Egelman, along with University of British Columbia colleagues Andreas Sotirakopoulos, Ildar Muslukhov, and Konstantin Beznosov, and Cormac Herley of Microsoft, began their experiment as a means of testing a new type of meter they developed that measures password strength relative to other users. What they learned instead is that peer pressure isn’t as effective as the context in which the meter is shown.

The experiment was two-fold, first in a lab and then in the field. In both instances, none of the participants knew they were taking part in a password study. There was also a control condition for both studies where a meter was not presented. For sensitive accounts where users see a meter, Egelman said, the users deployed strong passwords. In the field experiment conducted against “unimportant accounts,” the meter made no difference and most of the time users re-used old passwords.

“We conclude that meters result in stronger passwords when users are forced to change existing passwords on important accounts and that individual meter design decisions likely have a marginal impact,” the team wrote.

Password re-use has some obvious risks, the worst being that if a hacker compromises one password on an unimportant account, for example, they could use that password on more sensitive accounts protected by the same secret code.

“We don’t have anything better [than passwords],” Egelman said. “That’s what it comes down to. All of the problems we generally see with passwords are as a result of poor policies and stems from the frequencies we see of databases getting disclosed. If more work was done to secure stored encrypted passwords, less effort would need to be done on the users’ end.”

With 75 percent of the Alexa top 20 websites using some sort of meter, Egelman said, there is an expectation that users will choose stronger passwords if a meter is present. The team’s experiments demonstrated noticeable changes in password strength with the presence of a meter if the user was prompted to change their password, for example because of a policy mandate that demands passwords be changed periodically. The test results show that the presence of either a weak-to-strong meter, or a meter comparing passwords against those of other users did nudge them toward stronger passwords, while those without a meter continued to re-use old or weak passwords. Users also chose longer passwords, used more symbols and lower-case letters.

The 47 participants were users affiliated with the University of British Columbia who used the school’s single sign-on system for access to student accounts and a campus portal. They were not informed they were taking part in a password study, instead were told they were testing the usability of the portal. Once they logged, a notice popped up that their passwords had expired per policy and they were required to change them.

The field experiment, meanwhile, was conducted against less important accounts for 541 participants, many of whom re-used weak, existing passwords. In an exit survey, only 13 percent remembered seeing strength meters and others said the meters would have labeled their passwords as weak.

“We found that reused passwords were not observably weaker than the passwords of those who claimed not to have reused passwords. Thus, the extent to which password reuse impacts strength remains unclear,” the team wrote in its paper. “We believe that effects stemming from participants’ perceptions about the unimportance of the website outweighed any effects relating to the meters or their choice to reuse existing passwords; when passwords were reused, weaker existing passwords were employed.”

The team concluded that the presence of meters upon site registration, for example, is not as effective as when the meters are not associated with a registration, and that participants are likely to choose weak, easy-to-remember passwords they’ve used before if not prompted to check their strength.

“We’re not going away from passwords any time soon. I would like to see more focus on acceptable password policies in terms of balancing the burdens on users with site security requirements,” Egelman said. “A lot of the burden is placed on users, and that results in forgetting passwords and those add up as costs for organizations in terms of resets and support calls. If sites did things differently in terms of how passwords were protected on the backend, a lot of password requirements could be loosened.”

Suggested articles


  • Paul on

    Doesn't really matter what strength your password is if the system you input them into gets compromised and these days unless you're not carrying a full deck that's a much more likely way of having an account accessed by third parties.
  • Richard Battin on

    Many sites have limitations on password complexity (max characters, no non-alpha characters, etc.) that limit the implementation of strong password protection.
  • jonesy on

    For twenty years and more computers for household use have were sold with all the brashness and nonchalance as appliances, giving us infestations and botnets. When brain-dead password policies were used, Mom and Pop and Uncle Ed tended to do whatever was easiest for them - use something simple and easily remembered or write it down and lose the piece of paper. Had the companies involved acted responsibly from the start we would have likely avoided many of the problems we have today or they might have been at least attenuated. One of the things that helps me is using a password manager, which will present me with choices and remember "correct" passwords for me. This presumes I'll remember my passphrase, of course - and that does get written down, in several non-obvious places.
  • Mark Cross on

    Well the problem at the heart of passwords is remembering them, and Rublon.com nearly has the solution. (I have no connection with this company) As far as I am concerned their current release has a small UI issue BUT it allows you to point your phone at a 2D barcode and your passwords are stored in the phone. Thus allowing you to easily have a collection of hard passwords. You can then double protect your phone with a swipe login and a PIN for their app. This is best I have seen to the problem. I would say watch'em. Yes it's subject to some neat man in the middle attack - but so is everything.
  • Jonathan on

    The other problem with passwords, is we have been conditioned to use passwords that are hard for humans to remember but easy to guess. Tr0ub4dor&3 It has capital and lowercase characters, it has nubers, and it contains a symbol. Everything that a 'strong' password should have. Time is would take to crack at 1000 passwords/sec:3 days correct horse battery staple 4 random words lowercase only with spaces. Time it would take to crack at 1000 passwords/sec:550 Years And if you capitalize a few letters in it, the decryption time increases eight fold. However as Paul stated, if the database holding your password is compromised your password could be 123 and it wouldn't matter.
    • Bad Santa on

      Johnny, Johhny, Johhny... Your 'statement' might sound somewhere in the range of 'educated' to some folks who suffer of serious IQ deficit, but the matter of fact is that today's hardware and software is able to juggle a terrifying figures in excess of 2.8 BILLION!!! pwds/sec, thus reducing the time to crack your example of a 'strong' password to less than 30 sec!!! And I'm referring only to using the hardware a regular Joe can buy in any store (i.e. HP Z820 Workstation). And now, just imagine what black ops can do with unlimited budget and underground farms of hardware (i.e. new NSA data center in Bluffdale, Utah, which by the way, goes online end of this year). And regarding the decryption, would we be wrong in assumption you missed most of the cypher and algorithm classes, isn't that so?
  • Brooke prior on

    It is not easy to make a password

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.