Password strength meters (PSMs) enhance password security but inadvertently introduce serious privacy and account-security risks—data-driven PSMs suffer from membership inference attacks due to training-data leakage, while rule-based PSMs expose rejected password lists enabling meter-aware account enumeration. Method: The authors propose the first systematic framework for evaluating PSM privacy leakage, integrating membership inference, PCFG/Markov/neural password modeling, and empirical evaluation using zxcvbn. They assess 11 widely deployed PSMs. Contribution/Results: Five data-driven and three rule-based PSMs exhibit significant password leakage; PCFG models leak up to 10⁵ training passwords; attacks against zxcvbn increase account compromise rates by 5.84% within 10 attempts. The study redefines the utility–privacy trade-off boundary for PSMs, providing both theoretical foundations and practical design guidelines for secure PSM development.

Password strength meters (PSMs) have been widely used by websites to gauge password strength, encouraging users to create stronger passwords. Popular data-driven PSMs, e.g., based on Markov, Probabilistic Context-free Grammar (PCFG) and neural networks, alarm strength based on a model learned from real passwords. Despite their proven effectiveness, the secure utility that arises from the leakage of trained passwords remains largely overlooked. To address this gap, we analyze 11 PSMs and find that 5 data-driven meters are vulnerable to membership inference attacks that expose their trained passwords, and seriously, 3 rule-based meters openly disclose their blocked passwords. We specifically design a PSM privacy leakage evaluation approach, and uncover that a series of general data-driven meters are vulnerable to leaking between 10^4 to 10^5 trained passwords, with the PCFG-based models being more vulnerable than other counterparts; furthermore, we aid in deriving insights that the inherent utility-privacy tradeoff is not as severe as previously thought. To further exploit the risks, we develop novel meter-aware attacks when a clever attacker can filter the used passwords during compromising accounts on websites using the meter, and experimentally show that attackers targeting websites that deployed the popular Zxcvbn meter can compromise an additional 5.84% user accounts within 10 attempts, demonstrating the urgent need for privacy-preserving PSMs that protect the confidentiality of the meter's used passwords. Finally, we sketch some counter-measures to mitigate these threats.