Many people have their opinion about passwords and the role they should or should not play in information security. I have an opinion too, but I also realize that today, passwords are simply necessary and we should keep trying to educate end-users about the importance of strong passwords and not re-using them (which is very akin to sharing them, IMHO).
Today, I decided it was time to reset my Google account password. I am not a heavy user of Google’s services, but I like their bookmark service. My old password was sadly not very secure and I set about fixing that.
Google’s “Security Center” provides users with a Password Strength indicator:
- 123456: Too short – good call
- 12345678: Weak – good call
- googlemail: Weak – good call, I suppose, although one might argue about this rating because it is 10 characters long
- erkhwplh: Strong – Huh?
- q,QgJyV^Xh3$: Strong – Huh?
My issue is with Google’s rating of the last two passwords: one I simply created by typing 8 lowercase random characters on my keyboard, the other is 12 characters, generated by a random password generator. Considering the characteristics of those passwords, I don’t feel that rating them both as “Strong” is a good call. Clearly, a password with
- Uppercase characters
- Lowercase characters
that is 50% longer than a password with only lowercase characters is more secure, but not according to Google. Google’s Password Strength has a rating of Fair in its arsenal, so I would suggest that the 8 lowercase character one gets a rating of Fair instead of strong.
Summing it up, there are some issues with Google’s (as well as other’s) Password Strength indicator. While Google does provide instructions on how to create a strong password, you have to click on a link and endure a popup window to see it. Most users are probably not going to go to that length. As such, on Google’s site, the password strength indicator is the only indicator that a user has about the relative security of their password. A user with a fairly weak, 8 character lowercase, password gets the same fuzzy feeling from the “Strong” rating than someone with a password generator and 12 characters of near complete randomness.
I believe Google should do better and offer inline suggestions about creating a strong password. For example, if I initially type “erkhwplh,” I should get the rating “Fair,” but in addition be presented with a blurb that reads something like “Increase the strength of your password by adding a digit and changing a lowercase character to uppercase.”