Password Strength Meter Studies
Impact of Password Meters on Password Selection
Researchers from Berkeley, Vancouver and Microsoft performed “a laboratory experiment to examine whether [password] meters influenced users’ password selections when they were forced to change their real passwords”.
Unsurprisingly, these meters only make a difference “when users are forced to change existing passwords”. Pure visual indicators seem to have no significant effect.
Analyzing Password-Strength Meters
Researchers from Concordia University analyzed the weaknesses and inconsistencies of password-strength meters employed by selected popular websites. While the study was published already in 2014, most of the finding can still today be observed in the open wild. The authors conclude that designing password strength indicators deserves thorough expertise, research and dedication: Password-strength “meters should avoid providing misleading strength outcomes, especially for weak passwords.”
Low-Budget Password Strength Estimation
In this reference paper for the popular zxcvbn framework by Dropbox, Daniel Lowe Wheeler outlines why “1.5 MB of compressed storage is sufficient to accurately estimate the best-known guessing attacks up to 105 guesses”. The paper not only demonstrated how their approach compares against the best guessing attacks, but also advertises it as a smarter way to solve password composition requirements. A great addition for every strength meter!
Modeling Password Guessability Using Neural Networks
“While we measured client-side strength metrics based on guessing effectiveness, a remaining challenge is giving user-interpretable advice to improve passwords during password creation.”
Practical Recommendations for Stronger, More Usable Passwords
In their study from 2020, Carnegie Mellon University researchers formulated “concrete recommendations for policy configurations that produce a good balance of security and usability”. They give clear guidance on composition requirements, blocklists, and neural-network-driven minimum-strength requirements.
“We recommend a 1c12+NN10 minimum-strength policy for organizations that wish to protect high-value accounts without a substantial negative usability impact.”
This paper is likely one of the most comprehensive and influential collections of best practices for authentication systems.