Inconsistent password advice could increase risk of cyber attacks

The study, led by researchers at the University of Plymouth, investigated the effectiveness of 16 password meters that people are likely to use or encounter on a regular basis.

It tested 16 passwords against the various meters, with 10 of them being ranked among the world’s most commonly used passwords (including ‘password’ and ‘123456’).

Of the 10 explicitly weak passwords, only five of them were consistently scored as such by all the password meters, while ‘Password1!’ performed far better than it should do and was even rated strongly by three of the meters.

However, the team at Plymouth said one positive finding was that a browser-generated password was consistently rated strong, meaning users can seemingly trust these features to do a good job.

“Password meters themselves are not a bad idea, but you clearly need to be using or providing the right one,” said Steve Furnell, professor of Information Security at the university.

“It is also worth remembering that, regardless of how the meters handled them, many systems and sites would still accept the weak passwords in practice and without having offered users any advice or feedback on how to make better choices.”

Furnell, who is also the director of the University’s Centre for Security, Communications and Network Research (CSCAN), added: “While all the attention tends to focus on the replacement of passwords, the fact is that we continue to use them with little or no attempt being made to support users in doing so properly.

“Credible password meters can have a valuable role to play but misleading meters work against the interest of security and can simply give further advantage to attackers.”

Published in Computer Fraud and Security, it comes at a time when the global cyber-security threat is continuing to rise, with accounts held by individuals and organisations constantly at risk of attack.

The main focus was dedicated password meter websites, but the study also sought to assess those embedded in some common online services (including Dropbox and Reddit) and those found as standard on some of our devices.

During the study, the researchers also found that there is a clear level of variation in the advice offered across different websites.

While some meters do effectively steer users towards more secure account passwords, some will not pick them up when they try to use ‘abc123’, ‘qwertyuiop’ and ‘iloveyou’ – all listed this week among the worst passwords of 2019.

Commenting on the latest research, Furnell gave advice to users during this festive season.

He said: “Over the festive period, hundreds of millions of people will receive technology presents or use their devices to purchase them. The very least they should expect is that their data will be secure and, in the absence of a replacement for passwords, providing them with consistent and informed guidance is key in the quest for better security.

“What this study shows is that some of the available meters will flag an attempted password as being a potential risk whereas others will deem it acceptable,” he added. “Security awareness and education is hard enough without wasting the opportunity by offering misleading information that leaves users misguided and with a false sense of security.”

The research was conducted by the University Centre for Security, Communications and Network Research (CSCAN), in conjunction with the Desautels Faculty of Management at McGill University (Montreal, Canada) and the Department of Computer Sciences at Purdue University (Indiana, US).

In February this year, Google announced the release of its Password Checkup extension for its Chrome web browser, designed to monitor current data breaches and to alert its users if their account passwords have been compromised.