I don’t use my gmail account, but I wanted to post something to groups.google and forgot my password. I always put junk in the security question and therefore was sent an email to my “secondary account” with a link to reset the password. All standard stuff.
I entered the desired password and the “password strength” bar told me how “strong” it was. Nice concept that could help some… if it worked, that is. The password “saardrimer” (for an email account saardrimer@gmail.com, mind you) got a “strong” rating as in the image above. “12345678″ got “weak”, “jerusalem” got “fair” and “walkinthepark” got “strong” again. I could go on checking more, but I really need some sleep. Some easy guesses and a dictionary attack would easily crack a “strong” one making this feature (as-is) pretty much useless as an indicator for password strength.
In the link explaining how to choose a good password, google explains:
Things to avoid:
* Don’t use a password that is listed as an example of how to pick a good password.
* Don’t use a password that contains personal information (name, birth date, etc.)
* Don’t use words or acronyms that can be found in a dictionary.
* Don’t use keyboard patterns (asdf) or sequential numbers (1234).
* Don’t make your password all numbers, uppercase letters or lowercase letters.
* Don’t use repeating characters (aa11).
(emphasis mine)
They don’t even follow their own rules.
Not a big deal, really, they still have to work on their simplistic checking algorithm; somehow, I expected more from google, though.
I’m just concerned about giving people a false sense of security, when they don’t know better. In these cases, I usually rather they put nothing at all than something weak like this.
4 Comments for Gmail password strength check
Emergent Chaos | November 28, 2005 at 15:46
Simon | March 21, 2007 at 04:29
> In these cases, I usually rather they put nothing at all than something weak like this.
I totally disagree.
Something that goes some way towards guiding users towards using secure passwords is better than nothing?
It might not guide all users to a more secure password, but if it guides some proportion of users to a more secure password, that is a Good Thing.
Author comment by Saar Drimer | March 21, 2007 at 14:06
Simon,
There is a danger in training people to bad standards or practices. For example, phishing. For quite some time banks have been sending emails to their customers with links in them. This, in turn, has enabled phishermen to lure these customers into their hooks, so to speak, by embedding links that direct to their own mock web pages to harvest passwords.
So, while I see your point, I’d rather this feature not be there just for the sake of not giving people the false impression that a bad (or a slightly less bad) choice of password is actually a good one.
Jetman | August 30, 2007 at 19:48
Hi, men!
I found another two password strength checkers. Their algorithm based on words dictionary. Try one at microsoft.com – http://www.microsoft.com/protect/yourself/password/checker.mspx and one at itsimpl.com – http://www.itsimpl.com
Jetman.
Don’t Tell People What Not To Do!…
It’s rare to see a substantial usability mistake at Google, and so this jumped out at me. Saar Drimer has a post on the new “Gmail password strength check,” in which he quotes Google’s password advice: Don’t use a password……