I don’t use my gmail account, but I wanted to post something to groups.google and forgot my password. I always put junk in the security question and therefore was sent an email to my “secondary account” with a link to reset the password. All standard stuff.
I entered the desired password and the “password strength” bar told me how “strong” it was. Nice concept that could help some… if it worked, that is. The password “saardrimer” (for an email account firstname.lastname@example.org, mind you) got a “strong” rating as in the image above. “12345678” got “weak”, “jerusalem” got “fair” and “walkinthepark” got “strong” again. I could go on checking more, but I really need some sleep. Some easy guesses and a dictionary attack would easily crack a “strong” one making this feature (as-is) pretty much useless as an indicator for password strength.
In the link explaining how to choose a good password, google explains:
Things to avoid:
* Don’t use a password that is listed as an example of how to pick a good password.
* Don’t use a password that contains personal information (name, birth date, etc.)
* Don’t use words or acronyms that can be found in a dictionary.
* Don’t use keyboard patterns (asdf) or sequential numbers (1234).
* Don’t make your password all numbers, uppercase letters or lowercase letters.
* Don’t use repeating characters (aa11).
They don’t even follow their own rules.
Not a big deal, really, they still have to work on their simplistic checking algorithm; somehow, I expected more from google, though.
I’m just concerned about giving people a false sense of security, when they don’t know better. In these cases, I usually rather they put nothing at all than something weak like this.