Just browsing the internet, I saw a password strength indicator on a sign up, and I realized that I personally didn't care. Does anyone know if, on average, password strength indicators increase the strength of the password entered?
EDIT
This question has to do with the psychological effect of the password-strength indicator. Obviously the algorithm for determining password strength must be accurate, and obviously the password strength will increase if the software forces the passwordto be a certain strength
Answer
Researchers from Carnegie Mellon University recently (2012) looked at password strength meters and its impact on password creation. The paper "How does your password measure up? The effect of strength meters on password creation" has all the details, but the abstract summarises their findings nicely (emphasis is mine):
We present a 2,931-subject study of password creation in the presence of 14 password meters. We found that meters with a variety of visual appearances led users to create longer passwords. However, significant increases in resistance to a password-cracking algorithm were only achieved using meters that scored passwords stringently. These stringent meters also led participants to include more digits, symbols, and uppercase letters.
Password meters also affected the act of password creation. Participants who saw stringent meters spent longer creating their password and were more likely to change their password while entering it, yet they were also more likely to find the password meter annoying. However, the most stringent meter and those without visual bars caused participants to place less importance on satisfying the meter. Participants who saw more lenient meters tried to fill the meter and were averse to choosing passwords a meter deemed "bad" or "poor."
Emphasis was added to point out the differentiation between password length, and password strength.
No comments:
Post a Comment