javascript contador Skip to content

Why you should never trust password gauges

Why you should never trust password gauges

Why you should never trust password gauges

Your new password may be very secure for the password meters on the web pages where you use it, but That is useless.

Surely, when you have registered on a web page, you have seen that the password field usually has a security meter, which tells us how secure our password is against possible attacks. Rare is that a page does not currently have it, and giants like Google or Dropbox have been with the system for a long time.

However, and unfortunately for users, these password gauges are uselessapart from giving us a false sense of security, and a study by Mark Stockley of Sophos highlights this.

Password meters do not danpie with ball


In this study, Mark selected 5 of the 10,000 most used passwords by users, keys that will not withstand an assault in an attempt to gain unauthorized access to an account:

  • abc123 number 14, the first to mix letters and numbers
  • trustno1 number 29, the second to mix letters and numbers
  • ncc1701 number 158, the registration number of the USS Enterprise
  • iloveyou! number 8778, the first with a non-alphanumeric character
  • primetime21 number 8280, longest with letters and numbers

It does not matter if the password is very advanced or strong if it appears in the list of most used passwords; password crackers fill your dictionaries with words and passwords that people commonly use, so appearing on this list is synonymous with having a bad password.

Once he had the passwords, Mark chose the Top 5 password meters that appeared when you Google jQuery strength meter, and added a control meter (zxcvbn, created by Dropbox and tested on more occasions) to the comparison. With everything ready, all he had to do was start entering the passwords into the meters and compare the results.


As you can see in the table, zxcvbn is the only password meter that identifies all five passwords as very weak: the rest allow at least one to pass, and there are even password meters that give you a good grade those 5 passwords not sure. In other words, everyone has failed by letting one pass.

Why do password meters fail?

This all happens because password meters do not measure the true strength of the password, which is very complex to find out and requires time and resources: most resort to finding out the entropy of the password, which is relatively easy to measure in comparison. And all this is fine until we realize that those who try to break our password are also human: they know our tricks for changing numbers and they apply them to their techniques to break accounts. The entropa is worth us nothing when it comes to having a strong and secure password, in other words.

And what can we do to get secure passwords, you ask? First of all is don’t trust these password metersWe will never know which one we are using and whether it is giving us a good or bad result. A password manager with strong password generator should help keep us safe in this regard, and tools like two-step verification are also effective in repelling attacks that may occur against our account.