Skip to Content
Tech policy

You’ve Been Misled About What Makes a Good Password

Common advice on how to make a strong password is misleading, according to a new study of password-guessing techniques.
October 19, 2015

“Password must include upper and lowercase letters, and at least one numeric character.” A common scold dished out by websites or software when you open an account or change a password—and one that new research suggests is misleading.

A study that tested state-of-the-art password-guessing techniques found that requiring numbers and uppercase characters in passwords doesn’t do much to make them stronger. Making a password longer or including symbols was much more effective.

“Attacks are more sophisticated now, and those best practice countermeasures are a little bit out of sync,” says Matteo Dell’Amico, a researcher at Symantec Research. He worked with Maurizio Filippone at the French research institute Eurecom. The pair presented a paper on their work at the ACM Computer and Communications Security conference last week.

Recommendations that we include a mixture of cases, symbols, and numbers in passwords originate in the idea that it reduces the chance of a correct guess by software that systematically tries every combination of characters, says Dell’Amico. Password meters that give feedback on the “strength” of a password work on the same basis.

But the latest password guessing software is smarter than just guessing at random. Instead it is trained using leaked lists of millions of passwords to make guesses that try the passwords—or patterns found in passwords—most commonly used first. Password-guessing software can be used to try to reveal improperly encrypted passwords leaked online, like the 130 million taken from Adobe in 2013, or to directly access password-secured software or devices that don’t limit guessing attempts.

Dell’Amico and Filippone came up with a new way to measure the strength of a password that takes that into account. They trained attack software, used it to generate lists of passwords, and invented a way to use those to assign a kind of “guessability” score to any given password. They used 10 million leaked passwords to train several kinds of attack software and tested their guessability method on another 32 million passwords.

The results show that making a password longer or adding symbols is a better way to strengthen it than by adding uppercase characters or numbers. That’s because people tend to add uppercase characters at the start of passwords and numbers at the end, and password attacking methods can take advantage of that, says Dell’Amico. “Basically you need to make your passwords less predictable,” he says. The new method could be used to create more accurate ways to give people a sense of the strength of a password, says Dell’Amico.

A good way of doing that is important but has long proven elusive, says Mark Burnett, a security researcher who published one of the password research databases used in the study. “I haven’t seen any way that’s perfect, but this is probably the best attempt I’ve seen,” he says. “This type of research helps us to be smarter about what makes passwords stronger, the advice we give, and see where we need to go from now.”

Burnett’s advice for the next time you choose or change a password is that once you come up with one you should find a way to make it longer, perhaps by adding a word or two. His advice for the computing industry is to come up with alternatives to using passwords as widely as we do today. “Passwords are getting longer and longer and we’re getting to the point where they’re going to lose their usefulness,” he says.

Deep Dive

Tech policy

wet market selling fish
wet market selling fish

This scientist now believes covid started in Wuhan’s wet market. Here’s why.

How a veteran virologist found fresh evidence to back up the theory that covid jumped from animals to humans in a notorious Chinese market—rather than emerged from a lab leak.

Conceptual illustration showing a file folder with the China flag and various papers flying out of it
Conceptual illustration showing a file folder with the China flag and various papers flying out of it

The US crackdown on Chinese economic espionage is a mess. We have the data to show it.

The US government’s China Initiative sought to protect national security. In the most comprehensive analysis of cases to date, MIT Technology Review reveals how far it has strayed from its goals.

Professor Gang Chen of MIT
Professor Gang Chen of MIT

All charges against China Initiative defendant Gang Chen have been dismissed

MIT professor Gang Chen was one of the most prominent scientists charged under the China Initiative, a Justice Department effort meant to counter economic espionage and national security threats.

Harvard University professor Charles Lieber leaves federal court, Tuesday, Dec. 14, 2021
Harvard University professor Charles Lieber leaves federal court, Tuesday, Dec. 14, 2021

The China Initiative’s first academic guilty verdict raises more questions than it answers

Observers hoped that the trial of the prominent Harvard professor Charles Lieber would provide some clues into the future of the Department of Justice’s campaign against Chinese economic espionage.

Stay connected

Illustration by Rose WongIllustration by Rose Wong

Get the latest updates from
MIT Technology Review

Discover special offers, top stories, upcoming events, and more.

Thank you for submitting your email!

Explore more newsletters

It looks like something went wrong.

We’re having trouble saving your preferences. Try refreshing this page and updating them one more time. If you continue to get this message, reach out to us at with a list of newsletters you’d like to receive.