{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,3,12]],"date-time":"2026-03-12T15:24:43Z","timestamp":1773329083569,"version":"3.50.1"},"reference-count":41,"publisher":"Association for Computing Machinery (ACM)","issue":"1","license":[{"start":{"date-parts":[[2015,5,27]],"date-time":"2015-05-27T00:00:00Z","timestamp":1432684800000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.acm.org\/publications\/policies\/copyright_policy#Background"}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Inf. Syst. Secur."],"published-print":{"date-parts":[[2015,6,9]]},"abstract":"\n Passwords are ubiquitous in our daily digital lives. They protect various types of assets ranging from a simple account on an online newspaper website to our health information on government websites. However, due to the inherent value they protect, attackers have developed insights into cracking\/guessing passwords both offline and online. In many cases, users are forced to choose stronger passwords to comply with password policies; such policies are known to alienate users and do not significantly improve password quality. Another solution is to put in place proactive password-strength meters\/checkers to give feedback to users while they create new passwords. Millions of users are now exposed to these meters on highly popular web services that use user-chosen passwords for authentication. More recently, these meters are also being built into popular password managers, which protect several user secrets including passwords. Recent studies have found evidence that some meters actually guide users to choose better passwords\u2014which is a rare bit of good news in password research. However, these meters are mostly based on ad hoc design. At least, as we found, most vendors do not provide any explanation for their design choices, sometimes making them appear as a black box. We analyze password meters deployed in selected popular websites and password managers. We document obfuscated source-available meters, infer the algorithm behind the closed-source ones, and measure the strength labels assigned to common passwords from several password dictionaries. From this empirical analysis with millions of passwords, we shed light on how the server end of some web service meters functions and provide examples of highly inconsistent strength outcomes for the same password in different meters, along with examples of many weak passwords being labeled as\n strong<\/jats:italic>\n or even\n excellent<\/jats:italic>\n . These weaknesses and inconsistencies may confuse users in choosing a stronger password, and thus may weaken the purpose of these meters. On the other hand, we believe these findings may help improve existing meters and possibly make them an effective tool in the long run.\n <\/jats:p>","DOI":"10.1145\/2739044","type":"journal-article","created":{"date-parts":[[2015,6,2]],"date-time":"2015-06-02T15:13:25Z","timestamp":1433258005000},"page":"1-32","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":50,"title":["A Large-Scale Evaluation of High-Impact Password Strength Meters"],"prefix":"10.1145","volume":"18","author":[{"given":"Xavier De Carn\u00e9 De","family":"Carnavalet","sequence":"first","affiliation":[{"name":"Concordia University"}]},{"given":"Mohammad","family":"Mannan","sequence":"additional","affiliation":[{"name":"Concordia University"}]}],"member":"320","published-online":{"date-parts":[[2015,5,27]]},"reference":[{"key":"e_1_2_1_1_1","unstructured":"ArsTechnica.com. 2013. How the Bible and YouTube Are Fueling the Next Frontier of Password Cracking. Retrieved from http:\/\/arstechnica.com\/security\/2013\/10\/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking\/. ArsTechnica.com. 2013. How the Bible and YouTube Are Fueling the Next Frontier of Password Cracking. Retrieved from http:\/\/arstechnica.com\/security\/2013\/10\/how-the-bible-and-youtube-are-fueling-the-next-frontier-of-password-cracking\/."},{"key":"e_1_2_1_2_1","doi-asserted-by":"crossref","unstructured":"Adam Barth. 2011. The Web Origin Concept. RFC 6454. Retrieved from http:\/\/www.ietf.org\/rfc\/rfc6454.txt. Adam Barth. 2011. The Web Origin Concept. RFC 6454. Retrieved from http:\/\/www.ietf.org\/rfc\/rfc6454.txt.","DOI":"10.17487\/rfc6454"},{"key":"e_1_2_1_3_1","doi-asserted-by":"publisher","DOI":"10.1145\/290163.290164"},{"key":"e_1_2_1_4_1","doi-asserted-by":"publisher","DOI":"10.1016\/0167-4048(95)00003-Q"},{"key":"e_1_2_1_5_1","doi-asserted-by":"publisher","DOI":"10.1016\/S0164-1212(03)00004-9"},{"key":"e_1_2_1_6_1","volume-title":"Web 2.0 Security &","author":"Bonneau Joseph"},{"key":"e_1_2_1_7_1","volume-title":"Perfect Password: Selection, Protection, Authentication. Syngress","author":"Burnett Mark","year":"2005"},{"key":"e_1_2_1_8_1","unstructured":"Mark Burnett. 2011. 10 000 Top Passwords. Retrieved from https:\/\/xato.net\/passwords\/more-top-worst-passwords\/. Mark Burnett. 2011. 10 000 Top Passwords. Retrieved from https:\/\/xato.net\/passwords\/more-top-worst-passwords\/."},{"key":"e_1_2_1_9_1","first-page":"800","article-title":"Electronic Authentication Guidelines","author":"Burr William E.","year":"2006","journal-title":"NIST Special Publication"},{"key":"e_1_2_1_10_1","volume-title":"A Large-Scale Evaluation of High-impact Strength Meters. Master\u2019s thesis","author":"Carn\u00e9 de Carnavalet Xavier"},{"key":"e_1_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23268"},{"key":"e_1_2_1_12_1","volume-title":"Network and Distributed System Security Symposium (NDSS\u201912)","author":"Castelluccia Claude","year":"2012"},{"key":"e_1_2_1_13_1","unstructured":"CSO Online. 2014. After Celeb Hack Apple Patches Password Guessing Weakness in iCloud. Retrieved from http:\/\/www.cso.com.au\/article\/553965\/after_celeb_hack_apple_patches_password_guessing_weakness_icloud\/. CSO Online. 2014. After Celeb Hack Apple Patches Password Guessing Weakness in iCloud. Retrieved from http:\/\/www.cso.com.au\/article\/553965\/after_celeb_hack_apple_patches_password_guessing_weakness_icloud\/."},{"key":"e_1_2_1_14_1","volume-title":"National Computer Security Conference","author":"Davies Chris","year":"1993"},{"key":"e_1_2_1_15_1","doi-asserted-by":"publisher","DOI":"10.1145\/2470654.2481329"},{"key":"e_1_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/1837110.1837124"},{"key":"e_1_2_1_17_1","volume-title":"Do strong web passwords accomplish anything&quest","author":"Flor\u00eancio Dinei"},{"key":"e_1_2_1_18_1","unstructured":"Dinei Flor\u00eancio Cormac Herley and P. van Oorschot. 2014. An administrator\u2019s guide to internet password research. In USENIX LISA. Dinei Flor\u00eancio Cormac Herley and P. van Oorschot. 2014. An administrator\u2019s guide to internet password research. In USENIX LISA."},{"key":"e_1_2_1_19_1","volume-title":"Assessing password guidance and enforcement on leading websites. Computer Fraud &","author":"Furnell Steven","year":"2011"},{"key":"e_1_2_1_20_1","volume-title":"A State-of-the-Art Password Strength Analysis Demonstrator. Master\u2019s thesis","author":"Heijningen Nico Van"},{"key":"e_1_2_1_21_1","volume-title":"A research agenda acknowledging the persistence of passwords","author":"Herley Cormac","year":"2012"},{"key":"e_1_2_1_22_1","doi-asserted-by":"publisher","DOI":"10.1145\/2420950.2420966"},{"key":"e_1_2_1_23_1","unstructured":"Immunity Inc. 2014. Immunity Debugger. Retrieved from https:\/\/www.immunityinc.com\/products-immdbg.shtml. Immunity Inc. 2014. Immunity Debugger. Retrieved from https:\/\/www.immunityinc.com\/products-immdbg.shtml."},{"key":"e_1_2_1_24_1","doi-asserted-by":"publisher","DOI":"10.1145\/1978942.1979321"},{"key":"e_1_2_1_25_1","unstructured":"LifeHacker.com. 2008. Five Best Password Managers. Retrieved from http:\/\/lifehacker.com\/5042616\/five-best-password-managers. LifeHacker.com. 2008. Five Best Password Managers. Retrieved from http:\/\/lifehacker.com\/5042616\/five-best-password-managers."},{"key":"e_1_2_1_26_1","doi-asserted-by":"publisher","DOI":"10.1145\/359168.359172"},{"key":"e_1_2_1_27_1","doi-asserted-by":"publisher","DOI":"10.1145\/1102120.1102168"},{"key":"e_1_2_1_28_1","unstructured":"OpenWall.com. 2014. John the Ripper Password Cracker. Retrieved from http:\/\/www.openwall.com\/john. OpenWall.com. 2014. John the Ripper Password Cracker. Retrieved from http:\/\/www.openwall.com\/john."},{"key":"e_1_2_1_29_1","unstructured":"Oxid.it. 2014. Cain & Abel. Retrieved from http:\/\/www.oxid.it\/cain.html. Oxid.it. 2014. Cain & Abel. Retrieved from http:\/\/www.oxid.it\/cain.html."},{"key":"e_1_2_1_30_1","unstructured":"PCMag.com. 2014. The Best Password Managers. Retrieved from http:\/\/www.pcmag.com\/article2\/0 2817 2407168 00.asp. PCMag.com. 2014. The Best Password Managers. Retrieved from http:\/\/www.pcmag.com\/article2\/0 2817 2407168 00.asp."},{"key":"e_1_2_1_31_1","volume-title":"USENIX Workshop on Hot Topics in Security (HotSec\u201910)","author":"Schechter Stuart","year":"2010"},{"key":"e_1_2_1_32_1","doi-asserted-by":"publisher","DOI":"10.1145\/1837110.1837113"},{"key":"e_1_2_1_33_1","unstructured":"Sophos.com. 2009. Passwords Used by the Conficker Worm. Retrieved from http:\/\/nakedsecurity.sophos.com\/2009\/01\/16\/passwords-conficker-worm\/. Sophos.com. 2009. Passwords Used by the Conficker Worm. Retrieved from http:\/\/nakedsecurity.sophos.com\/2009\/01\/16\/passwords-conficker-worm\/."},{"key":"e_1_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1016\/0167-4048(92)90207-8"},{"key":"e_1_2_1_35_1","unstructured":"TheNextWeb.com. 2014. This Could Be the iCloud Flaw That Led to Celebrity Photos Being Leaked. Retrieved from http:\/\/thenextweb.com\/apple\/2014\/09\/01\/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked\/. TheNextWeb.com. 2014. This Could Be the iCloud Flaw That Led to Celebrity Photos Being Leaked. Retrieved from http:\/\/thenextweb.com\/apple\/2014\/09\/01\/this-could-be-the-apple-icloud-flaw-that-led-to-celebrity-photos-being-leaked\/."},{"key":"e_1_2_1_36_1","volume-title":"USENIX Security Symposium.","author":"Ur Blase","year":"2012"},{"key":"e_1_2_1_37_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2014.23103"},{"key":"e_1_2_1_39_1","doi-asserted-by":"publisher","DOI":"10.1145\/1866307.1866327"},{"key":"e_1_2_1_40_1","unstructured":"Dan Wheeler. 2012. zxcvbn: Realistic Password Strength Estimation. Retrieved from https:\/\/tech.dropbox.com\/2012\/04\/zxcvbn-realistic-password-strength-estimation\/. Dan Wheeler. 2012. zxcvbn: Realistic Password Strength Estimation. Retrieved from https:\/\/tech.dropbox.com\/2012\/04\/zxcvbn-realistic-password-strength-estimation\/."},{"key":"e_1_2_1_41_1","volume-title":"Cross-Origin Resource Sharing. (29","author":"World Wide Web Consortium (W3C). 2013.","year":"2013"},{"key":"e_1_2_1_42_1","unstructured":"ZDNet.com. 2012. 6.46 Million LinkedIn Passwords Leaked Online. Retrieved from http:\/\/www.zdnet.com\/blog\/btl\/6-46-million-linkedin-passwords-leaked-online\/79290. ZDNet.com. 2012. 6.46 Million LinkedIn Passwords Leaked Online. Retrieved from http:\/\/www.zdnet.com\/blog\/btl\/6-46-million-linkedin-passwords-leaked-online\/79290."}],"container-title":["ACM Transactions on Information and System Security"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2739044","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"},{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/2739044","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T06:16:23Z","timestamp":1750227383000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/2739044"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2015,5,27]]},"references-count":41,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2015,6,9]]}},"alternative-id":["10.1145\/2739044"],"URL":"https:\/\/doi.org\/10.1145\/2739044","relation":{},"ISSN":["1094-9224","1557-7406"],"issn-type":[{"value":"1094-9224","type":"print"},{"value":"1557-7406","type":"electronic"}],"subject":[],"published":{"date-parts":[[2015,5,27]]},"assertion":[{"value":"2014-05-01","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2015-02-01","order":1,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2015-05-27","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}