“Sometimes the only person you can trust is yourself.” It’s a common trope, however depressing. And it is especially true when it comes to your online security.
I’m sure we’re all familiar with those incessant red-yellow-green password strength meters that are meant to accurately tell you just how safe your password is. Well, new findings from researchers at Concordia University in Montreal call that accuracy into question.
Researchers Mohammad Mannan and Xavier de Carné de Carnavalet tested millions of not-so-good passwords (think: Password123) on several popular sites like Google, Yahoo!, Dropbox, Twitter and Skype. They found that the results were highly inconsistent. What is considered strong on one site is weak on another.
So while password meters are supposed to help you to come up with strong passwords, this research shows they actually are not designed that well. Moral of the story? You can’t trust that green light.
Do Websites Have Your Best Interests at Heart?
While we can’t always trust those password meters, we at least assume that our favorite sites have our best interest at heart, right? Yet, as Amazon recently showed, that’s not always the case.
When a company is breached, the logical reaction is to improve security. Twitch, the Amazon-owned game streaming company, was attacked last March. (For those not familiar, Twitch is the fourth largest site on the Internet in terms of peak traffic behind Netflix, Apple and Google.) Hackers managed to access various kinds of user data, including credit card information and addresses – all information that would help a hacker steal someone’s identity.
In response, Twitch initially made users change their passwords to align with new site restrictions, which included a 20-character minimum. However, after customers began complaining en masse across social networks, the company caved and reduced the minimum password length to eight characters. As Twitch customer Corbin Ellis told the company on their Facebook page, “If users want to use bad passwords, that’s their problem, not yours.”
Ellis is right – it clearly is our problem. We can’t trust password strength meters; and it looks like we can’t even trust popular sites to mandate bare-minimum security practices even if it goes against user demands. It’s up to us to educate ourselves and take security into our own hands.
To learn more about good password habits, check out Password Boss’ password generator feature.