Many popular online services have started to deploy password strength meters, visual gauges that are often color-coded and indicate whether the password you’ve chosen is weak or strong based on the website’s policy. The effectiveness of these meters in influencing users to choose stronger passwords had not been measured until recently.
A paper released this week by researchers at the University of Cal Berkeley, University of British Columbia and Microsoft provides details on the results of a couple of experiments examining how these meters influence computer users when they’re creating passwords for sensitive accounts and for unimportant accounts.
The long and the short of it: It depends.
Users, despite a barrage of news about stolen credentials, identity theft and data breaches, will re-use passwords over and over, especially at account creation, regardless of the presence of a meter. If the context changes, however, and users are asked to change existing passwords on sensitive accounts, the presence of a meter does make some difference.
“I didn’t expect them to have any effect,” said Serge Egelman, a UC Berkeley researcher, in an interview with Threatpost. Egelman, along with University of British Columbia colleagues Andreas Sotirakopoulos, Ildar Muslukhov, and Konstantin Beznosov, and Cormac Herley of Microsoft, began their experiment as a means of testing a new type of meter they developed that measures password strength relative to other users. What they learned instead is that peer pressure isn’t as effective as the context in which the meter is shown.
The experiment was two-fold, first in a lab and then in the field. In both instances, none of the participants knew they were taking part in a password study. There was also a control condition for both studies where a meter was not presented. For sensitive accounts where users see a meter, Egelman said, the users deployed strong passwords. In the field experiment conducted against “unimportant accounts,” the meter made no difference and most of the time users re-used old passwords.
“We conclude that meters result in stronger passwords when users are forced to change existing passwords on important accounts and that individual meter design decisions likely have a marginal impact,” the team wrote.
Password re-use has some obvious risks, the worst being that if a hacker compromises one password on an unimportant account, for example, they could use that password on more sensitive accounts protected by the same secret code.
“We don’t have anything better [than passwords],” Egelman said. “That’s what it comes down to. All of the problems we generally see with passwords are as a result of poor policies and stems from the frequencies we see of databases getting disclosed. If more work was done to secure stored encrypted passwords, less effort would need to be done on the users’ end.”
With 75 percent of the Alexa top 20 websites using some sort of meter, Egelman said, there is an expectation that users will choose stronger passwords if a meter is present. The team’s experiments demonstrated noticeable changes in password strength with the presence of a meter if the user was prompted to change their password, for example because of a policy mandate that demands passwords be changed periodically. The test results show that the presence of either a weak-to-strong meter, or a meter comparing passwords against those of other users did nudge them toward stronger passwords, while those without a meter continued to re-use old or weak passwords. Users also chose longer passwords, used more symbols and lower-case letters.
The 47 participants were users affiliated with the University of British Columbia who used the school’s single sign-on system for access to student accounts and a campus portal. They were not informed they were taking part in a password study, instead were told they were testing the usability of the portal. Once they logged, a notice popped up that their passwords had expired per policy and they were required to change them.
The field experiment, meanwhile, was conducted against less important accounts for 541 participants, many of whom re-used weak, existing passwords. In an exit survey, only 13 percent remembered seeing strength meters and others said the meters would have labeled their passwords as weak.
“We found that reused passwords were not observably weaker than the passwords of those who claimed not to have reused passwords. Thus, the extent to which password reuse impacts strength remains unclear,” the team wrote in its paper. “We believe that effects stemming from participants’ perceptions about the unimportance of the website outweighed any effects relating to the meters or their choice to reuse existing passwords; when passwords were reused, weaker existing passwords were employed.”
The team concluded that the presence of meters upon site registration, for example, is not as effective as when the meters are not associated with a registration, and that participants are likely to choose weak, easy-to-remember passwords they’ve used before if not prompted to check their strength.
“We’re not going away from passwords any time soon. I would like to see more focus on acceptable password policies in terms of balancing the burdens on users with site security requirements,” Egelman said. “A lot of the burden is placed on users, and that results in forgetting passwords and those add up as costs for organizations in terms of resets and support calls. If sites did things differently in terms of how passwords were protected on the backend, a lot of password requirements could be loosened.”