Finder makes money from featured partners, but editorial opinions are our own.

Why you can’t trust password strength generators



If a site tells you that a password is "very strong", be wary.

If you've been online longer than a week, you'll have run into a password strength generator. You go to sign up to some sexy new online service, and you have to provide a password. As you type in one of your usual suspects, the strength meter changes colour, and tells you your password is weak, OK or very strong. Problem solved, right?

Not so fast. The key lesson here: you shouldn't be picking your own password in the first place. By far the best way to keep your information secure is to use a different randomly-generated password for every single service you sign up for, and to use a password manager to remember it. That way, if a single service does get hacked and your information leaks, that password can't be used anywhere else. There are plenty of solid password managers to choose from, and if you've taken the sensible step of installing antivirus software on your devices, it may well include a built-in option you can use. It's even better if the service includes two-factor authentication, so you can only sign in on a new device after being sent a unique one-time code (typically as an SMS)/

With that said, what's the issue with password strength generators? It's true that they will stop you from picking stupidly common passwords like "123456" or "iloveyou", and they'll make sure your password meets some minimum requirements (such as including numbers, letters and punctuation). However, testing shows that these generators actually don't do a great job of assessing password strength.

Security software developer Sophos Labs recently carried out an intriguing experiment to demonstrate this. Sophos chose five of the most commonly used password strength generators (which are freely available code that developers can add to their sites for no charge). Researchers then selected five passwords from a list of the 10,000 most common passwords. Any cracker would make use of these kinds of lists when trying to break into a service. The five chosen were:

  • abc123
  • trustno1
  • ncc1701
  • iloveyou!
  • primetime21

Despite mixing letters, numbers and (in one case) punctuation, these aren't strong passwords by any measure. More importantly, the fact that they're on a list of common passwords means they should be rejected by any reasonable strength checker. Yet when run through the selected strength generators, the majority ranked them as "weak", "medium" or "good". A good strength generator would rate them all as "very weak" at best.

Sophos' recommendation is that if you must include a strength generator on your site, use ZXCVBN, which isn't as popular as most of the choices it tested but does a much better job. For consumers, though, the lesson is simpler: don't trust password strength generators, trust a password manager.

Angus Kidman's Findings column looks at new developments and research that help you save money, make wise decisions and enjoy your life more. It appears Monday through Friday on

Latest news headlines

Picture: Shutterstock

Go to site