So a study by Concordia has shown that the password strength meters we sometimes rely on to measure how good our passwords are, aren’t really that good themselves. The same password gave varied results about strength on different sites. Now I’ve seen this, where I use one of my “throw-away” passwords that has a basic complexity (hits 3 of 4 categories) and some show it as weak, others strong.
This really shouldn’t be new to anyone who uses a lot of different sites, but it is interesting to actually see it measured and not just anecdotal. It is nice to see Dropbox showing the way with a good meter that is open source so we as a whole community can take advantage of their brilliant work.
Of course the best way to avoid this is to stop using passwords and move to 2FA. Simple, easy to use 2FA needs to be adopted more among service providers on the Internet. Of course that doesn’t prevent you from setting up your own for internal use, such as a GreenRADIUS server (of course).