A research paper carried out by the University of California at Berkeley, University of British Columbia and Microsoft studied the effectiveness of a meter that shows users how strong their password choice is compared to other users of a website. For situations in which sensitive data was at stake, a meter being present contributed to users choosing stronger passwords. Absent a meter, they were found to more often use old passwords or choose weaker, easier-to-remember options.
The researchers also carried out the same study for “unimportant accounts” not linked to sensitive data, and found that the meter had no impact on password choices.
“We conclude that meters result in stronger passwords when users are forced to change existing passwords on important accounts and that individual meter design decisions likely have a marginal impact,” the team wrote.
It added, “We believe that effects stemming from participants’ perceptions about the unimportance of the website outweighed any effects relating to the meters or their choice to reuse existing passwords; when passwords were reused, weaker existing passwords were employed.”
In the end, the study shows that password creation behaviors are heavily dependent on context.
For example, “one of our findings is that password meters do not yield much improvement in helping users choose passwords for unimportant accounts, yet they are very commonly deployed in such contexts,” the team said. “Equally, where meters make a difference – password changes for important accounts – they are less often seen. Thus, practice at real sites appears to be very far from what our results dictate. This indicates a real opportunity for improvement.”