Login | Register

A Large-Scale Evaluation of High-Impact Password Strength Meters


A Large-Scale Evaluation of High-Impact Password Strength Meters

de Carné de Carnavalet, Xavier (2014) A Large-Scale Evaluation of High-Impact Password Strength Meters. Masters thesis, Concordia University.

[thumbnail of Carnavalet_MASc_S2014.pdf]
Text (application/pdf)
Carnavalet_MASc_S2014.pdf - Accepted Version
Available under License Spectrum Terms of Access.


Passwords are ubiquitous in our daily digital life. They protect various types of assets ranging from a simple account on an online newspaper website to our health information on government websites. However, due to the inherent value they protect, malicious people have developed insights into cracking them. Users are pushed to choose stronger passwords to comply with password policies, which they may not like much. Another solution is to put in place proactive password-strength meters/checkers to give feedbacks to users while they create new passwords. Millions of users are now exposed to these meters at highly popular web services that use user-chosen passwords for authentication, or more recently in password managers.
Recent studies have found evidence that some meters actually guide users to choose better passwords -which is a rare bit of good news in password research. However, these meters are mostly based on ad-hoc design. At least, as we found, most vendors do not provide any explanation of their design choices, sometimes making them appear as a black-box. We analyze password meters deployed in selected popular websites and password managers. We document obfuscated open-source meters; infer the algorithm behind the closed-source ones; and measure the strength labels assigned to common passwords from several password dictionaries.
From this empirical analysis with millions of passwords, we shed light on how the server-end of some web service meters functions, provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as strong or even excellent. These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. On the other hand, we believe these findings may help improve existing meters, and possibly make them an effective tool in the long run.

Divisions:Concordia University > Gina Cody School of Engineering and Computer Science > Concordia Institute for Information Systems Engineering
Item Type:Thesis (Masters)
Authors:de Carné de Carnavalet, Xavier
Institution:Concordia University
Degree Name:M.A. Sc.
Program:Information Systems Security
Date:7 April 2014
Thesis Supervisor(s):Mannan, Mohammad
ID Code:978410
Deposited On:19 Jun 2014 20:05
Last Modified:18 Jan 2018 17:46
Related URLs:
All items in Spectrum are protected by copyright, with all rights reserved. The use of items is governed by Spectrum's terms of access.

Repository Staff Only: item control page

Downloads per month over past year

Research related to the current document (at the CORE website)
- Research related to the current document (at the CORE website)
Back to top Back to top