You’re setting up a new online account and need to create a new password, so you think of a word you can remember, capitalize the first letter, add some digits, and end with an exclamation point. The password is 12 characters long and includes numerals, symbols, and upper- and lowercase letters. It’s probably a strong password, right?
Current research suggests that some steps people use to strengthen passwords actually make them more vulnerable to attackers, and that it’s time to rethink the standard advice about passwords and consider new approaches to security awareness training.
With that in mind, we explore the crossroads of science and password policies, usability and security education, and share three tips for creating stronger passwords.
Nearly 3% of people have used “123456” as their password, according to SplashData, and many more are just as careless. But even those who are conscientious about cybersecurity may unwittingly make their passwords easier to break.
What might seem like good password advice isn’t necessarily scientific, according to a recent article by a group of password researchers from Carnegie Mellon University (CMU). According to the coauthors of “Choose Better Passwords with the Help of Science,” some commonly held beliefs about what makes a strong password—such as adding numerals to the end—are simply inaccurate. A weak password may technically comply with password-composition policies, giving users a false sense of security.
Many people create passwords that are relatively simple to guess, and capitalizing the first letter of a dictionary word wouldn’t do much to slow down a human attacker. But human attackers aren’t the real threat— computers are. Scrambled passwords require many guesses to crack, but a computer program can make millions or billions of guesses in a few hours.
The article cautions, “All this computing power being applied to cracking passwords means users need to go beyond choosing passwords that are hard for a human to guess: Passwords need to be difficult for a computer to figure out.”
More than 50,000 people participated the CMU researchers’ online password experiments, which asked individuals to create passwords according to commonly used policies like requiring a 12-character minimum length, and mandating a mix of numbers, symbols, and letter cases. The research analyzed several factors, including password strength and the participants’ ability to recall the password a few days later.
Ultimately, the research showed that creating passwords of 12 characters or longer is more important than making passwords complicated. The researchers also found that users benefited from receiving immediate feedback on their password choices. This prompted them to create a password meter that uses an artificial neural network, which they claim to be a better mousetrap of sorts; the article indicates that many other online meters “provide inaccurate scores and sometimes questionable advice.”
A password meter provides an opportunity for advice that helps people improve their passwords.
CyLab Usable Privacy and Security Laboratory, Carnegie Mellon University, CC BY-ND
When it comes to changing behavior, there’s a big difference between simply telling end users how to create scientifically strong passwords and actually teaching them to create and use them. Even with effective security education on the topic, maintaining strong passwords presents a variety of obstacles to end users and InfoSec professionals. For one, many users may find complying with password policies and best practices simply too difficult or inconvenient.
To make strong passwords user-friendly and less burdensome, the CMU researchers suggest using a password manager, which can generate and store a different, scientifically strong password for each of your accounts.
“Password managers are not a magic pill,” CMU researcher Lujo Bauer told Consumer Reports, “but for most users they’ll offer a much better combination of security and convenience than they have without them. Everyone should be using one.”
Again, it’s one thing to tell users about password managers, and another to educate them and guide them through the process of choosing, installing and using these tools.
For those who go it alone and create their own passwords, the researchers offer the following tips:
The researchers also strongly caution against password reuse and advise users to implement two-factor authentication on accounts when it’s available.
For access to additional security awareness best practices and advice, visit the Wombat Security blog.