‘Inconsistent and misleading’ password meters could increase risk of cyber attacks

Take a look at these password guidelines, then see if your own passwords measure up. One additional check is to run a cracker (John, hashcat…) against them with a decent sized dictionary, but for most that’s overkill. Even better, use multi-factor authentication. The message here is “Don’t rely on password meters”…:

[…] A study by the University of Plymouth assessed the effectiveness of 16 password meters that people are likely to use or encounter on a regular basis.

The main focus was dedicated password meter websites, but the study also sought to assess those embedded in some common online services (including Dropbox and Reddit) and those found as standard on some of our devices.

Published in Computer Fraud and Security, the research says there is a clear level of variation in the advice offered across the different websites.

And while some meters do effectively steer users towards more secure account passwords, some will not pick them up when they try to use ‘abc123’, ‘qwertyuiop’ and ‘iloveyou’ – all listed this week among the worst passwords of 2019.

The study was conducted by Steve Furnell, P rofessor of Information Security and Leader of the University’s Centre for Security, Communications & Network Research.

He has previously suggested that global IT giants including Amazon and LinkedIn could be doing far more to raise awareness of the need for better password practices.


Original article here