Many people have their opinion about passwords and the role they should or should not play in information security. I have an opinion too, but I also realize that today, passwords are simply necessary and we should keep trying to educate end-users about the importance of strong passwords and not re-using them (which is very akin to sharing them, IMHO).
Today, I decided it was time to reset my Google account password. I am not a heavy user of Google’s services, but I like their bookmark service. My old password was sadly not very secure and I set about fixing that.
Google’s “Security Center” provides users with a Password Strength indicator:
I was curious how Google calculates password strength. The Javascript function that’s used on the page is significantly obsured, so instead of analyzing it, I tried a few combinations. Here are the passwords, the rating each password got from Google and my take on it:
- 123456: Too short – good call
- 12345678: Weak – good call
- googlemail: Weak – good call, I suppose, although one might argue about this rating because it is 10 characters long
- erkhwplh: Strong – Huh?
- q,QgJyV^Xh3$: Strong – Huh?
My issue is with Google’s rating of the last two passwords: one I simply created by typing 8 lowercase random characters on my keyboard, the other is 12 characters, generated by a random password generator. Considering the characteristics of those passwords, I don’t feel that rating them both as “Strong” is a good call. Clearly, a password with
- Uppercase characters
- Lowercase characters
- Digits
- Symbols
that is 50% longer than a password with only lowercase characters is more secure, but not according to Google. Google’s Password Strength has a rating of Fair in its arsenal, so I would suggest that the 8 lowercase character one gets a rating of Fair instead of strong.
After determining that a random password like the last one in the list was strong enough for my needs, I realized that Strong only fills the graphical bar about halfway. Based on that info, there must be at least another level of strength that Google considers, right? Based on a look behind the scenes (at the page’s Javascript), there is no further level though.
Summing it up, there are some issues with Google’s (as well as other’s) Password Strength indicator. While Google does provide instructions on how to create a strong password, you have to click on a link and endure a popup window to see it. Most users are probably not going to go to that length. As such, on Google’s site, the password strength indicator is the only indicator that a user has about the relative security of their password. A user with a fairly weak, 8 character lowercase, password gets the same fuzzy feeling from the “Strong” rating than someone with a password generator and 12 characters of near complete randomness.
I believe Google should do better and offer inline suggestions about creating a strong password. For example, if I initially type “erkhwplh,” I should get the rating “Fair,” but in addition be presented with a blurb that reads something like “Increase the strength of your password by adding a digit and changing a lowercase character to uppercase.”
Sven Aelterman 