Simple, easy to guess passwords are the scourge of cybersecurity staff. On the flip side, many users struggle to remember lengthy and complicated passwords that pass muster with cybersecurity standards. To help bridge the gap between security and useability, Carnegie Mellon’s CyLab Security and Privacy Institute has developed a policy for creating passwords.
For those in charge of setting password requirements, researchers say to ditch rules surrounding uppercase and lowercase letters, numbers, and symbols. Instead, passwords need to be at least 12 characters and pass a real-time strength test developed by the researchers.
“The policy we developed allows users to create passwords that are both easier to remember and more secure against sophisticated attackers,” says Lorrie Cranor, director of CyLab and a professor in the Institute for Software Research (ISR) and the Department of Engineering and Public Policy (EPP). “Interestingly, our data show that requiring more character classes – uppercase letters, symbols, and digits – doesn’t increase password strength as much as other requirements and it tends to have negative impacts on password usability.”
Back in 2016, researchers developed a password-strength meter powered by an artificial neural network. The meter – which was only a few hundred kilobytes – is small enough to encode into a web browser. Researchers explain that the meter gives users a strength score and offered suggestions in real-time.
“It was kind of a game changer,” says Lujo Bauer, a professor in electrical and computer engineering (ECE) and ISR, “because no other password meters until then offered accurate, data-driven, real-time feedback on how to make the passwords stronger.”
Building off their 2016 work, researchers approached password policies from the perspective that the ideal password must achieve a certain threshold score on their password meter.
“This new perspective led the researchers to discover a threshold between password strength and length – one that causes users to create passwords that are both stronger and more usable than they would under common password policies,” researchers explain.
The study is backed by hard science, Carnegie Mellon’s CyLab Security and Privacy Institute said in a press release. Researchers conducted online experiments where they evaluated combinations of minimum-length requirements, character-class requirements, minimum-strength requirements, and password blocklists (lists of words that shouldn’t be allowed to be used in passwords due to their common use). The experiment examined a user’s ability to recall passwords based on common password policies.
The top recommendation from the study is to mandate passwords to be 12 characters in length. On top of that, researchers suggest that “blocklist requirements either check candidate passwords against a list of about 105 commonly leaked passwords using a fuzzy matching algorithm or perform a full-string check against a large list consisting of all known leaked passwords.” Additionally, researchers say that password policies using blocklist requirements should not impose character-class requirements.