If you are still using ”password” and ”123456” as your pass codes to access devices, do not blame yourself as inconsistent and misleading advice offered on some of the world”s most popular websites could actually be doing more harm than good, according to new research.
Password meters are frequently made available to help users secure their personal data against the threats posed by cyber criminals. A study by the University of Plymouth in England assessed the effectiveness of 16 password meters that people are likely to use or encounter on a regular basis.
Published in Computer Fraud and Security, the research said there is a clear level of variation in the advice offered across the different websites. While some meters do effectively steer users towards more secure account passwords, some will not pick them up when they try to use ”abc123”, ”qwertyuiop” and ”iloveyou” — all listed this week among the worst passwords of 2019.
The study tested 16 passwords against the various meters, with 10 of them being ranked among the world”s most commonly used passwords (including ”password” and ”123456”). Of the 10 explicitly weak passwords, only five of them were consistently scored as such by all the password meters, while ”Password1!” performed far better than it should do and was even rated strongly by three of the meters.
Over the festive period, hundreds of millions of people will receive technology presents or use their devices to purchase them.
“The very least they should expect is that their data will be secure and, in the absence of a replacement for passwords, providing them with consistent and informed guidance is key in the quest for better security,” suggested Steve Furnell, professor of information security.
The main focus was dedicated password meter websites, but the study also sought to assess those embedded in some common online services (including Dropbox and Reddit) and those found as standard on some of our devices. Furnell has previously suggested that global IT giants including Amazon and LinkedIn could be doing far more to raise awareness of the need for better password practices.
He has also shown that over the space of a decade, most of the top 10 English-speaking websites had not expanded the password guidance they offer consumers amid the increased threat of global cyber-attacks.
“What this study shows is that some of the available meters will flag an attempted password as being a potential risk whereas others will deem it acceptable,” the authors wrote.
Furnell said that while all the attention tends to focus on the replacement of passwords, the fact is that we continue to use them with little or no attempt being made to support users in doing so properly.
“Credible password meters can have a valuable role to play but misleading meters work against the interest of security and can simply give further advantage to attackers”.