Web things that must die #1: Password Strength Meters

So you’re signing up to BrandNuThingOnTheBlockr, and since it hasn’t yet implemented OpenID it asks you to create a password. You choose horatio, because why should you deviate from the password you’ve used for every other site? OK, maybe you should deviate slightly. You type it in and, huh, look at that, it tells you Password Strength: Weak. You go back and, um, stick a zero in there. h0ratio. No difference. h0ratio1? Oh, well that’s changed it to Password Strength: Medium. Great, now at least the thing isn’t calling me a dunce, and I think I might remember this one. Great, I’ve found my password.

Password Strength meters are a little AJAX widget that people started hooking up because they could. They don’t provide any information. They’re about as useful as the colour-coded alerts issues by the Department of Homeland Security. Sites should give examples of bad passwords, and secure ones, if they really care to. All a Password Strength meter does is tests how far one of your users can be bothered to travel down the colours of the traffic light without getting bored.

Coming to a gauge of a password’s strength through a crude measurement of the ratio of alphabetic, numeric and other characters is too crude to be useful. They’ll only stave the more brute-force type attacks. Sign up to Facebook, and when it asks you to make up a really super-duper secure password type in pa$$w0rd. A cute little asynchronous request will go off and then come back… oh, Password Strength: Strong! Go right ahead with your military-strength password, little chickadee.