Researchers unveil new password meter that will change how users make passwords

May 8, 2017

One of the most popular passwords in 2016 was "qwertyuiop," even though most password meters will tell you how weak that is. The problem is no existing meters offer any good advice to make it better—until now.

Researchers from Carnegie Mellon University and the University of Chicago have just unveiled a new, state-of-the-art meter that offers real-time feedback and advice to help people create better passwords. To evaluate its performance, the team conducted an online study in which they asked 4,509 people to use it to create a password.

"Instead of just having a meter say, 'Your password is bad,' we thought it would be useful for the meter to say, 'Here's why it's bad and here's how you could do better,'" says CyLab Security and Privacy Institute faculty Nicolas Christin, a professor in the department of Engineering and Public Policy and the Institute for Software Research at Carnegie Mellon, and a co-author of the study.

The study will be presented at this week's CHI 2017 conference in Denver, Colorado, where it will also receive a "Best Paper Award." A demo of the meter can be viewed here.

"The key result is that providing the data-driven feedback actually makes a huge difference in security compared to just having a password labeled as weak or strong," says Blase Ur, lead author on the study, formerly a graduate student in CyLab and currently an assistant professor at the University of Chicago's Department of Computer Science. "Our new meter led users to create stronger passwords that were no harder to remember than passwords created without the feedback."

The meter works by employing an artificial : a large, complex map of information that resembles the way neurons behave in the brain. The team conducted a study about this neural network approach that received a Best Paper Award at the USENIX Security conference in August 2016. The network "learns" by scanning millions of existing passwords and identifying trends. If the meter detects a characteristic in your password that it knows attackers may guess, it'll tell you.

"The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords," says Ur. "For example, if you change Es to 3s in your password, that's not going to fool an attacker. The meter will explain about how prevalent that substitution is and offer advice on what to do instead."

This data-driven feedback is presented in real-time, as a user is typing their password out letter-by-letter.

The team has open-sourced their meter on GitHub.

"There's a lot of different tweaking that one could imagine doing for a specific application of the meter," says Ur. "We're hoping to do some of that ourselves and also engage other members of the security and privacy community to help contribute to the meter."

Explore further: Users' perceptions of password security do not always match reality

Related Stories

Does your password pass muster?

March 25, 2015

"Create a password" is a prompt familiar to anyone who's tried to buy a book from Amazon or register for a Google account. Equally familiar is that red / yellow / green bar that rates the new password's strength. But when ...

Why we choose terrible passwords, and how to fix them

May 2, 2017

The first Thursday in May is World Password Day, but don't buy a cake or send cards. Computer chip maker Intel created the event as an annual reminder that, for most of us, our password habits are nothing to celebrate. Instead, ...

Dashlane, Google in open source password manager project

August 7, 2016

(Tech Xplore)—PC and tablet warriors who must access files and applications for work and for play tolerate their password rituals whether dozens or more times a day. Painful as entering passwords may be—forgetting some ...

Recommended for you

When words, structured data are placed on single canvas

October 22, 2017

If "ugh" is your favorite word to describe entering, amending and correcting data on the rows and columns on spreadsheets you are not alone. Coda, a new name in the document business, feels it's time for a change. This is ...

Enhancing solar power with diatoms

October 20, 2017

Diatoms, a kind of algae that reproduces prodigiously, have been called "the jewels of the sea" for their ability to manipulate light. Now, researchers hope to harness that property to boost solar technology.

2 comments

Adjust slider to filter visible comments by rank

Display comments: newest first

PTTG
4.7 / 5 (3) May 08, 2017
So you're going to increase security... by repeatedly sending the plaintext password to the server until it's acceptable?
SkyLy
not rated yet May 09, 2017
Groot. Stop enforcing your password rules to users really, it's annoying as hell, especially since hacks by blind password login attempts are way overrated.

Please sign in to add a comment. Registration is free, and takes less than a minute. Read more

Click here to reset your password.
Sign in to get notified via email when new comments are made.