Password meters are meant to help secure your data, but some may be doing the exact opposite. A new paper explains that the “inconsistent and misleading” advice such helpers often give can promote weak passwords.

The study from the University of Plymouth assessed the effectiveness of 16 password meters that are likely to see heavy and regular use. While it focused heavily on sites dedicated to this purpose, the study also included meter systems embedded in online platforms such as Dropbox and Reddit.

They concluded that there is a wide range of advice that these different platforms offer users, with various levels of quality (some being pretty abysmal).

Qwerty1234

“What this study shows is that some of the available meters will flag an attempted password as being a potential risk whereas others will deem it acceptable,” explains Steve Furnell, a Professor of Information Security and Leader of the University’s Centre for Security, Communications & Network Research, the study’s author.

“Security awareness and education is hard enough, without wasting the opportunity by offering misleading information that leaves users misguided and with a false sense of security.”

Furnell pitted 16 passwords of varying degrees of reliability — 10 of them were selected from rankings of the world’s most commonly-used passwords — against a number of meters. The purpose of such meters is to help users pick effective and secure passwords.

However, some will not even flag ‘123456’, ‘qwerty’ or ‘iloveyou’ — all listed among the worst passwords of 2019 — as being unsafe. Only five of the 10 explicitly weak passwords were consistently flagged as such by the meters. ‘Password1!’ performed surprisingly well — three meters even rated it as secure or very secure. You should probably change it on any platform you’re using it for right now.

Professor Furnell explains that the issue is further exacerbated by the fact that some of the most prominent online platforms out there haven’t improved or expanded on the password guidance they offer to users. Most of the top-ten biggest English-speaking websites are guilty of this, the study found.

And it’s not a victimless oversight. Furnell cites Verizon’s 2017 “Data Breach Investigations Report” with finding that around “81% of hacking-related breaches had ‘leveraged either stolen and/or weak passwords'”.

Not all is lost, however. A browser-generated password used in the study was consistently rated strong, so we can probably trust these automatically-generated passwords.

“Password meters themselves are not a bad idea, but you clearly need to be using or providing the right one,” the paper explains. “It is also worth remembering that, regardless of how the meters handled them, many systems and sites would still accept the weak passwords in practice and without having offered users any advice or feedback on how to make better choices.”

“While all the attention tends to focus on the replacement of passwords, the fact is that we continue to use them with little or no attempt being made to support users in doing so properly. Credible password meters can have a valuable role to play but misleading meters work against the interest of security and can simply give further advantage to attackers.”

The paper “Password meters: inaccurate advice offered inconsistently?” has been published in the journal Computer Fraud & Security.