You want to make sure your users' passwords are sufficiently strong in order to prevent malicious attacks.
A password’s strength is measured according to predefined rules and is displayed using a horizontal scale next to the input field. If the password is weak then only a small portion of the horizontal bar is highlighted. The greater the strength of the password the more the horizontal bar is highlighted.
The password strength is also appropriately indicated by coloring the bar in a color associative with good or bad: Green indicating a strong password and red indicating a weak password.
The definition of a strong password can be intensely argued. A forced complex password at first glance only spells increased security, but forcing too complex and rigid rules on password can have the opposite effect. As passwords are forced to be complex, they also become increasingly harder to remember by the user. This occasionally leads to a self-destruction of the increased security, as some users simply write it down on a small sticky note and paste it up on their screen in order to remember their new complex password. This is especially a problem in places with the policy of forced password renewal every 3 months.
With the above mentioned in mind, I should stress that a sufficiently strong password does not necessarily need to fulfill all of the rules below, but merely a few will do. Consider the following rules, for each rules followed add a point to the passwords strength level (so that 0 points is the weakest, and 5 is the strongest). UI-patterns.com defines a strong password when it…:
This would result in 6 levels of password strength depending on how many of the above mentioned criteria are being met.
You need to determine the password strength and complexity according to what you want to protect. You need to draw the line somewhere. For 99% of the content out there it can easily be argued that merely the first 2 or 3 rules mentioned above will be sufficient.
By showing a password strength meter beside the password field, the user is forced to consider using a password with an appropriate strength. By putting a minimum level of password strength you can even use the password strength meter to force a heightened security to your website.
Using a password strength indicator on the website, adds another level of security is added to the site. This not only makes the current users of the site feel more secure, but potential clients might use this as a requisite when deciding to conduct business with a company.
There is a downside to this method: some of them make make me use rediculously long passwords, for they do indeed check the number of different characters used. Even though it deserves a positive vote: it’s extra feedback, always a good thing, and it might prevent the use of bob as a passy too.
0-9: Pathetically weak – Can get hacked very quickly
10-19: Extremely weak – Easy to hack
20-29: Very weak – A bit prone to hacking
30-39: Weak – Good enough if you are in a hurry
40-49: So-so – Fairly safe
50-60: Average – Quite safe
61-70: Fair – Extremely safe
71-80: Strong – Unbelievably safe
81-90: Very strong – Almost the safest
91-100: Unbelievably strong -Couldn’t be safer
I think there is a downside to the password strenght meter from a user experience perspective and sometimes also a business perspective.
What we’ve seen in research is that some users gets obsessed with achieving the “strong” value for the password which means they are not very likely to remember their password when logging in the next time.
This causes them to use the retrieve password functionality and if no such functionality is in place they will have to contact customer service. In worst case they might give up logging in which might lead to us losing this user as a customer.
My conclusion is that before implementing this type of functionality you need to analyze the pros and cons. Do you really store the type of sensitive user data on your website that needs this security?