Password meters actually work
Password strength meters work, but only when users are choosing or changing passwords for “important” accounts, a group of researchers has found. They also confirmed that users are no more likely to forget a “strong” password than a “weak” one.
By using two different types of meters and checking their results against those provided by a control group that was not faced with one, they discovered that it doesn’t matter what type of meter is used – whether it depends on peer-pressure or on the existing motivation of selecting a password that would be considered “strong”, whether it was vertical or horizontal, or whether it used words, graphics or both – so long as it’s used.
The testing has been performed both in a laboratory and in the field, and the tested individuals were unaware that passwords were the subject of the experiment so that their actions would not be influenced – the researchers simply added an account creation page to a website being used for another, unrelated study.
“One of our findings is that password meters do not yield much improvement in helping users choose passwords for unimportant accounts, yet they are very commonly deployed in such contexts. Equally, where meters make a difference— password changes for important accounts—they are less often seen. Thus, practice at real sites appears to be very far from what our results dictate. This indicates a real opportunity for improvement,” the researchers pointed out.
The report includes more details about the researchers’ approach and tentative conclusions about password reuse and other things, and is a really good read that also touches on a (in my opinion) not enough known tendency of people to heed subtle encouragements or nudges – a tendency that should definitely be taken in consideration for creating more secure and user-friendly systems.