Password sweepstakes

In a bid to engage users and get them thinking about password security, Intel recently launched a ‘password grader’ along with a prize draw, inviting visitors to test the strength of their password, with the chance of winning an Ultrabook.

The grader itself asks the user to type in what they think would be a strong password, while a footnote hastily urges users not to actually enter their real passwords (like other password checkers available on the Internet, information entered into the grader is not retained, and the string is checked on the local machine – nevertheless, Intel errs on the side of caution, with a note which initially^[1] read: ‘[The information] is not sent over the Internet. Just the same, PLEASE DO NOT ENTER YOUR REAL PASSWORD.’).

While those with some degree of security know-how may have whiled away five minutes pitting different combinations against the grader to see what response it would come up with (congratulations to the security researcher who swiftly generated the response ‘It would take about infinity years to crack your password’), I would be surprised if there were many real-world users that heeded the warning against entering their real passwords – particularly since the message was mixed, the introduction suggesting you ‘see how strong your password is’ (either you’re meant to test your own password or you aren’t, but Intel seemed unable to decide).

Password (in)security has been a problem for many years. In 2007, a survey of office workers run in conjunction with the Infosecurity Europe exhibition found that 64% of people would reveal their password in exchange for a bar of chocolate. More recently, concerns have focused on both the weakness of users’ passwords (according to a report from UK communications watchdog Ofcom, 26% of users say they tend to use easy to-remember passwords such as birthdays or names) and the tendency of users to repeat the same password over multiple sites (the same Ofcom survey found that 55% of UK adults use the same password to access most of the sites they visit).

Deloitte has predicted that in 2013 more than 90% of user-generated passwords will be vulnerable to hacking, which is all the more concerning when taking into account the fact that the average user has 26 password protected accounts, but only five different passwords.

Clearly, the importance of password security continues to need to be highlighted, and lessons in how to pick secure passwords continue to need to be taught. Intel can’t be blamed for trying to convey such a lesson in a fun and attention grabbing manner – capturing the imagination of end users when it comes to security education is one of the greatest hurdles. Nevertheless, encouraging users to enter their password on a site with a plain HTTP connection, tempting them with a prize, and then requiring them to enter their name and email address (in order to enter the draw) was perhaps not the best of ideas.

But not all password graders are as off-the mark as Intel’s was. A recent study by researchers from the University of California at Berkeley, the University of British Columbia and Microsoft looked at the impact of password meters positioned on websites at the point at which the user sets up or changes their password. Users presented with a password grader were found to enter stronger passwords than those who were not presented with one. (The study also found that those who had selected stronger passwords with the help of a grader had no more difficulty remembering their passwords two weeks later than those who had chosen weaker ones.)

Of course, the value of a password grader lies in the algorithms behind it, but the results of the study are certainly encouraging – and an increase in the number of password-protected services that integrate such tools would be a boost for this aspect of security.

Latest articles:

Bulletin Archive