It feels like our lives are ruled by online accounts and apps. With each new digital adventure comes the need for extra security and copious passwords.
There is a misconception out there that proposes we should complicate our passwords to the fullest extent, from capitalized letters to symbols. It seems like the more you can stuff into a password, the better.
A team of computer scientists from Carnegie Mellon, University of Chicago and the University of Maryland might have come up with a solution to our password woes.
"We’ve known for years that most password advice was not actually based on scientific knowledge. To address this, we have been conducting experiments about the effects of password requirements on security and usability," claims the group in The Conversation, led by Lorrie Cranor Professor of Computer Science and Engineering & Public Policy at Carnegie Mellon.
The best defense is offense
The team looked into how different password-cracking methods work. By understanding how hackers and attackers guess passwords they were able to determine an “accurate measure of password strength.”
They also claimed that these hackers aren’t just lucky and correctly guessing random passwords. Many hackers have stolen entire databases worth of passwords from large corporations. That’s a pretty terrifying reality, one we’ve seen with major companies such as Yahoo, LinkedIn, Adobe and notoriously Ashley Madison.
Thanks to algorithms created by hackers, scrambled passwords are usually solved in a matter of hours.
How they do it
- They start by guessing the most popular passwords and words in the dictionary
- They add “1” to each of these and then again with every other digit and symbol, then with the first letter in uppercase.
- The success gained from this process means that all those websites coaching you on how to establish an iron-clad password are way off.
Once they’ve hit the password jackpot, the attacker will use the user’s password for other accounts owned by the victim, like a bank account.
The research compiled by the scientists has found a way to beat the hackers at their own game. Using 50,000 volunteers, the team asked that each person create a password made up of randomly assigned requirements. Such as, “minimum of 12 characters long” or “must include lowercase and uppercase letters, digits and symbols.”
They then measured the strength of the passwords, the volunteer’s ability to recall their creation and other metrics.
So what makes a strong password, according to science?
Confusing a hacker isn’t the problem, it’s confusing the computer. So Croner and her team developed a password meter that uses an artificial neural network which analyses each password and offers advice more detailed than what is out there now.
According to the experts, this is how to hacker-proof your password:
“Make your password at least 12 characters, and mix it up with at least two or three different types of characters (lowercase letters, uppercase letters, digits and symbols), put in unpredictable places. Don’t put your capital letters at the beginning or your digits or symbols at the end.
Avoid including names of people or pets, places you have lived, sports teams, stuff you like or birth dates. Avoid common phrases (especially anything related to “love” in any language) and song lyrics. Don’t use patterns (“ABC,” “123”), including patterns on the keyboard (“1qazxsw2”).
One way to make a strong password is to create a sentence that no one’s ever said before and use the first letter or two of each word as your password, mixing in other types of characters."