Some common password security rules and suggestions aren’t actually doing much to make passwords more secure, a new study says.
That’s the message in a new report from a research team led by Ph.D. student Ashwini Rao of the Institute for Software Research at Carnegie Mellon University.
Rao and the other researchers developed a password-cracking algorithm and used it to try and hack nearly 1,500 passwords. Then they tried other respected password cracking tools against the same set and compared the results.
The team’s algorithm outperformed the rest — 10% of the passwords in the test were cracked by the researchers’ tool and none of the others.
The passwords used for the test satisfied one common requirement for creating secure passwords: They were long, with each using at least 16 characters.
But what set the researchers’ algorithm apart and made it able to crack those long passwords? It could understand grammar.
When users are required to use longer passwords, they often choose a phrase or sentence — that makes it easier to remember while also satisfying length requirements. However, the Carnegie Mellon team’s tool was able to guess passwords based on common grammatically structures, diminishing the security of those passwords.
Hackers’ tools are also evolving to get beyond the common password security technique of choosing a phrase and replacing letters with different, similar characters. According to Rao, problems still exist if the password is built around a phrase or sentence, even when that extra step is taken.
For example, his team calculated that the passphrase “hammered asinine requirements” is harder to crack than the seemingly more complex “th3r3 can only b3 #1!” — which follows the common, yet asinine, according to the study, requirement to use numbers and special characters.
Keys for password security
One tip to give users to get them to create more secure passwords: Shy away from any password combination that makes sense. As the Carnegie Mellon study shows, predictable structures are the enemy when it comes to password security.
Some expert tips for getting users to choose more secure passwords:
- Use available technology to enforce complexity requirements when users create passwords
- Require passwords to be changed regularly — and not just just by adding a number on the end of the previous version, and
- Consider dropping the reliance on passwords altogether and using two-factor authentication.