Over the last few months, I’ve seen a password strength meter on almost every signup form I’ve encountered. Password strength meters are on fire.
Here’s a question: does a meter actually help people secure their accounts? It’s less important than other areas of web security, a short sample of which include:
- Preventing online cracking with throttling or CAPTCHAs.
- Preventing offline cracking by selecting a suitably slow hash function with user-unique salts.
- Securing said password hashes.
With that disclaimer — yes. I’m convinced these meters have the potential to help.