Experts have compiled the worst passwords of the year for both 2017 and 2018 in an effort to help consumers avoid potential hacks. Now, researchers from the University of Plymouth want to warn consumers about their passwords as we get ready to head into 2020.
As cybersecurity threats continue to loom, it’s important for consumers to be diligent and creative when setting up new passwords. But despite many sites creating meters that gauge the strength of new passwords, these tools aren’t always the most accurate. In fact, the researchers say they can actually make consumers more vulnerable to cyber attacks.
“Password meters themselves are not a bad idea, but you clearly need to be using or providing the right one,” said researcher Steve Furnell. “It is also worth remembering that, regardless of how the meters handled them, many systems and sites would still accept the weak passwords in practice and without having offered users any advice or feedback on how to make better choices.”
Inaccurate password meters
The researchers tested 16 of the most commonly used passwords in an effort to determine how effective password meters are for protecting users’ privacy and information.
Many sites will require users to create passwords with a variety of uppercase and lowercase letters, numbers, and symbols. However, the researchers from this study found that despite those parameters, many of these gauges, which are designed to ensure that passwords are strong enough not to be guessed by hackers, aren’t operating as planned.
Over 60 percent of the passwords tested were intentionally weak, as the researchers wanted to see what the meters were capable of detecting. Ultimately, just half of those passwords were rejected by the password meters; the other half were accepted as viable choices.
“What this study shows is that some of the available meters will flag an attempted password as being a potential risk whereas others will deem it acceptable,” said Furnell. “Security awareness and education is hard enough, without wasting the opportunity by offering misleading information that leaves users misguided and with a false sense of security.”
While these findings urge against using common password options like “Password1!” or “abc123,” consumers should feel confident using a pre-generated password offered by a website. The researchers found that these types of passwords yielded positive results in all of their trials.
“Over the festive period, hundreds of millions of people will receive technology presents or use their devices to purchase them,” Furnell said. “The very least they should expect is that their data will be secure and, in the absence of a replacement for passwords, providing them with consistent and informed guidance is key in the quest for better security.”