Aaron Jentzen | October 13, 2017

Is Conventional Wisdom Weakening Your Passwords?

Password-Security-Stronger-PasswordsYou’re setting up a new online account and need to create a new password, so you think of a word you can remember, capitalize the first letter, add some digits and end with an exclamation point. The password is 12 characters long, and includes numerals, symbols, and upper- and lowercase letters. It’s probably a strong password, right?

New research suggests that some steps people use to strengthen passwords actually make them more vulnerable to attackers, and that its time to rethink the standard advice about passwords and consider new approaches to security awareness training.

With that in mind, we explore the crossroads of science and password policies, usability and security education, and share three tips for creating stronger passwords.

Why Conventional Wisdom Could Make Passwords Weaker

Nearly 3% of people have used “123456” as their password, according to SplashData, and many more are just as careless. But even those who are conscientious about cybersecurity may unwittingly make their passwords easier to break.

What might seem like good password advice isn’t necessarily scientific, according to a new article by a group of password researchers from Carnegie Mellon University (CMU). According to Wombat Security cofounder Lorrie Faith Cranor and the coauthors of “Choose Better Passwords with the Help of Science,” some commonly held beliefs about what makes a strong password — such as adding numerals to the end — are simply inaccurate. A weak password may technically comply with password-composition policies, giving users a false sense of security.

According to the article, many people create passwords that are relatively simple to guess, and capitalizing the first letter of a dictionary word wouldn’t do much to slow down a human attacker. But human attackers aren’t the real threat — computers are. Scrambled passwords require many guesses to crack, but a computer program can make millions or billions of guesses in a few hours.

The article cautions, “All this computing power being applied to cracking passwords means users need to go beyond choosing passwords that are hard for a human to guess: Passwords need to be difficult for a computer to figure out.”

A Scientific Approach to Password Security

More than 50,000 people participated the CMU researchers’ online password experiments, which asked individuals to create passwords according to commonly used policies like requiring a 12-character minimum length, and mandating a mix of numbers, symbols, and letter cases. The research analyzed several factors, including password strength and the participants’ ability to recall the password a few days later.  

Ultimately, the research showed that creating passwords of 12 characters or longer is more important than making passwords complicated. Cranor and her colleagues also found that users benefitted from receiving immediate feedback on their password choices. This prompted them to create a password meter that uses an artificial neural network, which they claim to be a better mousetrap of sorts; the article indicates that many other online meters “provide inaccurate scores and sometimes questionable advice.”

TheConversation-CMU-Password-Meter

A password meter provides an opportunity for advice that helps people improve their passwords. 
CyLab Usable Privacy and Security Laboratory, Carnegie Mellon UniversityCC BY-ND

From Security Education to Practical Application

When it comes to changing behavior, there’s a big difference between simply telling end users how to create scientifically strong passwords and actually teaching them to create and use them. Even with effective security education on the topic, maintaining strong passwords presents a variety of obstacles to end users and infosec professionals. It’s a lot to ask a person to create unique, memorable passwords for each account, according to Amy Baker, Wombat’s VP of Marketing.

“Frankly, password management presents an interesting conundrum for infosec professionals,” Baker told ITProPortal. “In this year’s Beyond the Phish™ Report, we again saw that users are well-versed in password best practices. However, our User Risk Report — which compiled results from an independent international survey of 2,000 working adults — showed that, in practice, many individuals continue to repeat passwords across multiple accounts.”

Why the disparity between user understanding and behavior? The issue may be that users perceive password best practices to be “too difficult (or inconvenient) to implement,” says Baker.

color_bar.png

Looking for more advice? Check out our vlog about passwords, two-factor authentication, and identity theft prevention.

Intentity Theft Prevention Tips

color_bar.png

To make strong passwords user-friendly and less burdensome, both Baker and the CMU researchers suggest using a password manager, which can generate and store a different, scientifically strong password for each of your accounts.

“Password managers are not a magic pill,” CMU researcher Lujo Bauer told Consumer Reports, “but for most users they’ll offer a much better combination of security and convenience than they have without them. Everyone should be using one.”

Again, it’s one thing to tell users about password managers, and another to educate them.

“We encourage infosec teams to identify the tools they feel are right for their organization and to clearly communicate the benefits to their employees,” says Baker. “For example, we feel it’s not particularly helpful to simply ask users to install a password manager. It would be more effective to recommend a specific tool and provide instructions about where to get it and how to install it.”

3 Tips for Creating Stronger Passwords

For those who go it alone and create their own passwords, the researchers offer the following tips:

  1. Use at least 12 characters, with at least two or three different types of characters in unpredictable places. “Don’t put your capital letters at the beginning or your digits or symbols at the end,” they caution.
  2. Avoid including personal information, such as birth dates or the names of people, pets or sports teams. Also avoid song lyrics, patterns, and common phrases, they advise, “especially anything related to ‘love’ in any language.”
  3. Make something new: “Create a sentence that no one’s ever said before and use the first letter or two of each word as your password, mixing in other types of characters,” the article states.
The researchers also strongly caution against password reuse and advise users to implement two-factor authentication on accounts when it’s available.

 

Subscribe to Our Blog

2018 State of the Phish Report  Protect your organization from phishing attacks. Download Now
2018 Beyond the Phish Report  Protect your organization from threats including and beyond phishing. Download Now