“Password must include upper and lowercase letters, and at least one numeric character.” A common scold dished out by websites or software when you open an account or change a password—and one that new research suggests is misleading.
A study that tested state-of-the-art password-guessing techniques found that requiring numbers and uppercase characters in passwords doesn’t do much to make them stronger. Making a password longer or including symbols was much more effective.
“Attacks are more sophisticated now, and those best practice countermeasures are a little bit out of sync,” says Matteo Dell’Amico, a researcher at Symantec Research. He worked with Maurizio Filippone at the French research institute Eurecom. The pair presented a paper on their work at the ACM Computer and Communications Security conference last week.
Recommendations that we include a mixture of cases, symbols, and numbers in passwords originate in the idea that it reduces the chance of a correct guess by software that systematically tries every combination of characters, says Dell’Amico. Password meters that give feedback on the “strength” of a password work on the same basis.
But the latest password guessing software is smarter than just guessing at random. Instead it is trained using leaked lists of millions of passwords to make guesses that try the passwords—or patterns found in passwords—most commonly used first. Password-guessing software can be used to try to reveal improperly encrypted passwords leaked online, like the 130 million taken from Adobe in 2013, or to directly access password-secured software or devices that don’t limit guessing attempts.
Dell’Amico and Filippone came up with a new way to measure the strength of a password that takes that into account. They trained attack software, used it to generate lists of passwords, and invented a way to use those to assign a kind of “guessability” score to any given password. They used 10 million leaked passwords to train several kinds of attack software and tested their guessability method on another 32 million passwords.
The results show that making a password longer or adding symbols is a better way to strengthen it than by adding uppercase characters or numbers. That’s because people tend to add uppercase characters at the start of passwords and numbers at the end, and password attacking methods can take advantage of that, says Dell’Amico. “Basically you need to make your passwords less predictable,” he says. The new method could be used to create more accurate ways to give people a sense of the strength of a password, says Dell’Amico.
A good way of doing that is important but has long proven elusive, says Mark Burnett, a security researcher who published one of the password research databases used in the study. “I haven’t seen any way that’s perfect, but this is probably the best attempt I’ve seen,” he says. “This type of research helps us to be smarter about what makes passwords stronger, the advice we give, and see where we need to go from now.”
Burnett’s advice for the next time you choose or change a password is that once you come up with one you should find a way to make it longer, perhaps by adding a word or two. His advice for the computing industry is to come up with alternatives to using passwords as widely as we do today. “Passwords are getting longer and longer and we’re getting to the point where they’re going to lose their usefulness,” he says.