New research validates use of password strength meters
Have you ever encountered a password strength meter when setting a password? If you've wondered if they work, first-of-its-kind research offers tantalizing proof that password meters do indeed offer more than just a "feel good" level of security-- assuming they are set up correctly.
The study was conducted by researchers from the University of California at Berkeley, the University of British Columbia in Vancouver and Microsoft Research, and detailed in a report (pdf) titled, "Does My Password Go up to Eleven? The impact of Password Meters on Password Selection."
There were a couple of caveats though, as pointed out by Ars Technica. For one, password meters offered scant benefits for users setting up an account for the first time and provided no improvement for accounts that users consider to be unimportant. When it comes to high value accounts though, "the meters actually do have an observable effect on behavior in that people do choose stronger passwords," Serge Egelman told Ars Technica. Egelman is a research scientist at UC Berkeley and the lead author of the paper.
Ironically though, this is the context in which they are least used, since password meters are not frequently used when changing passwords. Moreover, operating systems such as Microsoft (NASDAQ: MSFT) Windows and Mac OS X don't use them either.
This study is important not just to operating system vendors, but also to system developers rolling out intranet services or CMS systems. Even for prebuilt portals, enterprises may want to specify the inclusion of password meters in order to bolster the security of employee accounts.
- check out this article at Ars Technica