“Password must include upper and lowercase letters, and at least one numeric character.” A common scold dished out by websites or software when you open an account or change a password—and one that new research suggests is misleading.
A study that tested state-of-the-art password-guessing techniques found that requiring numbers and uppercase characters in passwords doesn’t do much to make them stronger. Making a password longer or including symbols was much more effective.
“Attacks are more sophisticated now, and those best practice countermeasures are a little bit out of sync,” says Matteo Dell’Amico, a researcher at Symantec Research. He worked with Maurizio Filippone at the French research institute Eurecom. The pair presented a paper on their work at the ACM Computer and Communications Security conference last week.
Recommendations that we include a mixture of cases, symbols, and numbers in passwords originate in the idea that it reduces the chance of a correct guess by software that systematically tries every combination of characters, says Dell’Amico. Password meters that give feedback on the “strength” of a password work on the same basis.
But the latest password guessing software is smarter than just guessing at random. Instead it is trained using leaked lists of millions of passwords to make guesses that try the passwords—or patterns found in passwords—most commonly used first. Password-guessing software can be used to try to reveal improperly encrypted passwords leaked online, like the 130 million taken from Adobe in 2013, or to directly access password-secured software or devices that don’t limit guessing attempts.
Dell’Amico and Filippone came up with a new way to measure the strength of a password that takes that into account. They trained attack software, used it to generate lists of passwords, and invented a way to use those to assign a kind of “guessability” score to any given password. They used 10 million leaked passwords to train several kinds of attack software and tested their guessability method on another 32 million passwords.
The results show that making a password longer or adding symbols is a better way to strengthen it than by adding uppercase characters or numbers. That’s because people tend to add uppercase characters at the start of passwords and numbers at the end, and password attacking methods can take advantage of that, says Dell’Amico. “Basically you need to make your passwords less predictable,” he says. The new method could be used to create more accurate ways to give people a sense of the strength of a password, says Dell’Amico.
A good way of doing that is important but has long proven elusive, says Mark Burnett, a security researcher who published one of the password research databases used in the study. “I haven’t seen any way that’s perfect, but this is probably the best attempt I’ve seen,” he says. “This type of research helps us to be smarter about what makes passwords stronger, the advice we give, and see where we need to go from now.”
Burnett’s advice for the next time you choose or change a password is that once you come up with one you should find a way to make it longer, perhaps by adding a word or two. His advice for the computing industry is to come up with alternatives to using passwords as widely as we do today. “Passwords are getting longer and longer and we’re getting to the point where they’re going to lose their usefulness,” he says.
The US Navy wants swarms of thousands of small drones
Budget documents reveal plans for the Super Swarm project, a way to overwhelm defenses with vast numbers of drones attacking simultaneously.
Here’s how the Nord Stream gas pipelines could be fixed
The first step will be figuring out the extent of the damage. Then the difficulties really begin.
A wrongfully terminated Chinese-American scientist was just awarded nearly $2 million in damages
"The settlement makes clear that when the government discriminates, it’s going to be held accountable," said Sherry Chen's lawyer.
Inside effective altruism, where the far future counts a lot more than the present
The giving philosophy, which has adopted a focus on the long term, is a conservative project, consolidating decision-making among a small set of technocrats.
Get the latest updates from
MIT Technology Review
Discover special offers, top stories, upcoming events, and more.