in Digital, Security, Technology, User Experience | Blog Posts


I recently completed an online form to set up an internet connection with iiNet. In the form there was a section prompting me to provide a password. As an experiment I tried “Password1!” – the on-screen password strength meter said that this was a weak password however it passed all of the password “rules”.

This is what their password section looks like – and the response I got when entering Password1!
iiNet's password policy lists requirements: * at least 9 characters, * mix of upper and lower case characters, * at least one number. With Password1! entered into the box it shows a strength meter with a rating "Poor"

This password follows all of their listed rules:

Your new password…

  • must be at least 9 characters
  • must contain a mix of upper and lower case characters
  • must contain at least one number (0-9)
  • must not be based on your username
  • must not contain spaces or tabs

Yet their own password meter rates it as “Poor”. However this password allows the user to proceed to the next page!

Following the example of the XKCD Password Strength comic I decided to test the password “correcthorsebatterystaple”. As XKCD’s Randall states – this password is both easy to remember and hard to crack. But what does some silly web comic know? Let’s see what iiNet’s own password strength meter has to say?
Password entered into box shows a strength meter with "Excellent" as the password strength

Lo and behold this is a stronger password. Why? Dictionaries are often used in a brute-force password attack. Even if we pick from only a pool of 4000 common words then there are 256 trillion combinations to try. On the other hand there are fewer numbers and symbols people usually insert into a password, and there are common parts of a word that people usually substitute these symbols in place of letters. This is because people are trying to make passwords that are easy to remember.

This is not necessarily a dig at iiNet (I still ended up subscribing) but a general comment on our attitude towards passwords. While we wait for someone to invent a superior alternative (and people are trying) we need to re-think our password security efforts. The 3 criteria of a good password:

  1. Hard to guess/crack
  2. Easy to remember
  3. Easy to type on the device the user is likely to need it on

Perhaps we should make sure that people simple have strong passwords, regardless of how they arrived at that strength.

Have you got a comment, criticism or suggestion? Contact Rick on or