Password Strength Indicators Help People Make Ill-Informed Choices ⇥ troyhunt.com

Troy Hunt:

Here’s the bottom line with all this: password strength meters which simply run JavaScript in the client and apply basic mathematics are woefully inadequate. Likewise, websites applying similar maths to enforce “strong” passwords in no way guarantee that actual strong passwords will be chosen. All these calculators neglect the human element of passwords and that’s an enormously important part of the picture.

I know blog posts on passwords aren’t super dynamic and fun, but this is a great piece to show friends and family. Password cracking software has adapted to work with the XKCD-style multi-word passphrase format, so pure length isn’t the answer any more; secure passwords are long, complex, and unique. That makes those passwords very hard to remember, but products like 1Password and features like Touch ID are slowly making laboriously typing passwords a relic of the past.