Password Strength Meter design pattern

You want to make sure your users' passwords are sufficiently strong in order to prevent malicious attacks.

Use when you want your users to choose passwords for their user accounts that are hard to break or guess by either human or computerized help.
Use when you want to higher the entry barriers for attackers to get started tampering with your system.
Use when you want to be sure that your users know what a good password is and that their chosen password follows such guidelines.

The currently entered password in the password field is measured on an often horizontal scale from none to max security. If the password is weak then only a small portion of the horizontal bar is highlighted, and oppositely if the password is strong then a larger portion of the horizontal bar is highlighted.

The password strength is also appropriately indicated by coloring the bar in a color associative with good or bad: Green indicating a strong password and red indicating a weak password.

How strong a password?

The definition of a strong password can be intensely argued. A forced complex password at first glance only spells increased security, but forcing too complex and rigid rules on the complexity of a chosen password can have the opposite effect. As passwords are forced to be complex, they also become increasingly harder to remember by the user. This occasionally leads to a self-destruction of the increased security, as some users in order to remember their new complex password simply write it down on a small sticky note and paste it up on their screen. This is especially a problem in places with the policy of forced password renewal every 3 months.

What is a strong password?

With the above mentioned in mind, I should stress that a sufficiently strong password does not necessarily need to fulfill all of the rules below, but merely a few will do. Consider the following rules to each add an extra point in how strong the password is (so that 0 point is the weakest, and 5 is the strongest). UI-patterns.com defines a strong password when it…:

Has more than 8 characters
Contains both small and uppercase letters
Contains at least one numerical character
Contains special characters
Has more than 12 characters

This would result in 6 levels of password strength depending on how many of the above mentioned criteria are being met.

Dictionary attacks

While the above mentioned password check can easily be done using only client-side javascript, it does not prevent against dictionary attacks. To ease the memorization of passwords, people tend to use real words as passwords and merely substitute characters with numbers or special characters. An example of such a password could be “P@ssw0rd”, which really isn’t a strong password. Modern password breaking software is fairly good at guessing such number/letter substitutions. To check against such strength, you would need to do ajax calls that would check with your own dictionary if the password was strong or not.

Choosing an appropriate level of password strength

You need to choose how strong a password is needed for what you want to protect. You need to draw the line somewhere. For 99% of the content out there it can easily be argued that merely the first 2 or 3 of the first mentioned rules will be sufficient.

General guidelines on choosing a password

Use a password of a seemingly random selection of letters and numbers
Use a password that you can type without you having to look at the keyboard (decreases possibility of people stealing your password)
Change your password regularly
Do not use your network ID in any form (capitalized, reversed, doubled, etc.)
Do not use your first, middle or last name or anyone else’s in any form.
Do not use your initials or any nicknames you or somebody else might have.
Do not use a word contained in any dictionary (English or foreign), spelling list, abbreviation list, etc.
Do not use information that people can easily obtain about you (license plate, pet name, date of birth, telephone numbers)
Do not use password of all alphabetical characters or only numeric characters – mix them up.
Do not use keyboard sequences (for instance qwerty or asdf)

By showing a password strength meter beside the password field, the user is forced to consider using a password with an appropriate strength. By putting a minimum level of password strength you can even use the password strength meter to force a heightened security to your website.

Using a password strength indicator on the website, another level of security is added to the site. This not only makes the current users of the site feel more secure, but potential clients might use this as a requisite when deciding to conduct business with a company.

A password strength meter helps the user choosing a secure password when signing up for a Microsoft live ID.
A password strength meter is used for ensuring the users' security at youtube.com
Password strength meter when signing up to twitter

7 Comments

Chritophe Michel

20 Mar, 2008

There is an alternate solution : compute the number of possible combinations given the character set implied by the password and its size.

“bob” -> lower case letters “23tinejiu” -> lower case letters, numbers

Strength is size of the character set to the power of the size of the password. It makes it easy to define a minimum strength.

You can then check the password against a banlist (previous passwords, dictionary words – although it won’t be necessary if the minimum strength is high enough since it will de facto rule out every dictionary word).

Microsoft’s online password checker [1] works that way.

[1] http://www.microsoft.com/protect/yourself/password/checker.mspx

Jasper Kennis

20 Mar, 2008

There is a downside to this method: some of them make make me use rediculously long passwords, for they do indeed check the number of different characters used. Even though it deserves a positive vote: it’s extra feedback, always a good thing, and it might prevent the use of bob as a passy too.

casino online

25 Nov, 2010

For illustration purposes I have created a sample enquiry form which the website user can submit their enquiry and the form will send an email to the site administrator.

Nitin

28 Nov, 2010

Hi,

Please see another example of a password strength meter. This is a server side implementation

http://www.meosys.com/WEB/webdemo.iface

Ken

8 Jan, 2011

Rating:
0-9: Pathetically weak – Can get hacked very quickly
10-19: Extremely weak – Easy to hack
20-29: Very weak – A bit prone to hacking
30-39: Weak – Good enough if you are in a hurry
40-49: So-so – Fairly safe
50-60: Average – Quite safe
61-70: Fair – Extremely safe
71-80: Strong – Unbelievably safe
81-90: Very strong – Almost the safest
91-100: Unbelievably strong -Couldn’t be safer

Jan

9 Mar, 2011

I think there is a downside to the password strenght meter from a user experience perspective and sometimes also a business perspective.

What we’ve seen in research is that some users gets obsessed with achieving the “strong” value for the password which means they are not very likely to remember their password when logging in the next time.
This causes them to use the retrieve password functionality and if no such functionality is in place they will have to contact customer service. In worst case they might give up logging in which might lead to us losing this user as a customer.

My conclusion is that before implementing this type of functionality you need to analyze the pros and cons. Do you really store the type of sensitive user data on your website that needs this security?