This is not a big step forward in terms of security, especially since fraudsters know very well – probably better than anyone – what kind of passwords people choose. If we demand upper case characters in passwords, almost everybody will capitalize the first letter. If we demand a numeral, the number “1” is almost three times more likely than the number “9”, and “3456” is more than ten times as common as “4321”. Similarly, the “special” characters people use are far from special when you look at which ones are used and where they are placed in the password. Therefore, traditional password strength checkers create a false sense of security, since they count characters but fail to look at likelihoods.
Users are not entirely to blame. The industry is giving a false sense of security with the way they use password checkers. Instead of counting upper case and lower case characters, demanding numerals and special characters, password strength checkers should understand passwords – and refuse passwords that are too predictable. And this can be done! In a recent paper I wrote with my student, Mayank Dhiman, we showed how password strength checkers could parse passwords, breaking them into components, then scoring the components based on their commonality, and computing a score for the password based on the scores of its components.
It is time to teach users how to be less predictable.