“Password Meters” Work

Security and usability fans rejoice: password strength meters actually do persuade users to pick stronger passwords. People remember strong passwords just as well as weak ones, too.

It doesn’t matter what style the meter is, either. So the next time you’re putting together the next great new web site — whether for your startup or for your project team — add a password meter.


“Password strength meters work, but only when users are choosing or changing passwords for “important” accounts, a group of researchers has found. They also confirmed that users are no more likely to forget a “strong” password than a “weak” one.

By using two different types of meters and checking their results against those provided by a control group that was not faced with one, they discovered that it doesn’t matter what type of meter is used –
whether it depends on peer-pressure or on the existing motivation of selecting a password that would be considered “strong”, whether it was vertical or horizontal, or whether it used words, graphics or both – so long as it’s used.

The testing has been performed both in a laboratory and in the field, and the tested individuals were unaware that passwords were the subject of the experiment so that their actions would not be influenced – the researchers simply added an account creation page to a website being used for another, unrelated study.

“One of our findings is that password meters do not yield much improvement in helping users choose passwords for unimportant accounts, yet they are very commonly deployed in such contexts. Equally, where meters make a difference— password changes for important accounts—they are less often seen. Thus, practice at real sites appears to be very far from what our results dictate. This indicates a real opportunity for improvement,” the researchers pointed out.”

%d bloggers like this: