WHAT’S WRONG WITH YOUR PA$$WORD?

Our team here at Lockr came across this TED talk the other day, and thought it would applicable to our readers. We tried to pick out the important parts of the talk and highlight some of the best practices, hope you enjoy!

During a TED talk in 2014, Lorrie Faith Craner, highlighted her thoughts on password strength and other security standards that she has discovered in recent years. Craner is a security researcher at Carnegie Mellon University who has spent much of her career studying online privacy, usable security, phishing, spam and other ways to maintain security in the internet era. In recent years her attention has been given to the roles that our personal passwords play in our online security, or lack thereof.

In the past decade there has been increased security measures in response to the realization of threats posed to our personal information online. Part of this mobilization, felt by just about everyone online, is the need for stronger passwords. Craner uses, as an example, the shift at Carnegie Mellon University where she is employed. Prior to 2009 there were virtually no demands on passwords created by students and faculty. But following 2009, in response to demands by the National Institute of Standards and Technology, requirements for password entropy were enforced. This was, essentially, a demand to make passwords less predictable. Passwords were regulated and required to have at least eight characters, to include both upper and lower case letters, to include at least one symbol and digit, they were not allowed to hold more than three of the same character, and could not be located in a dictionary. These demands have become customary and common for many, but still are the source of much frustration, particularly for those having to create a multiplicity of different passwords for various accounts. Though the NIST’s demand for password entropy was enforced, they admitted that they did not have much data regarding what makes a password secure; this due to the unavailability of password information for research.

Craner and her team began a series of studies aiming to collect data sets on password information in order to ascertain what makes a password both memorable (i.e. convenient) and responsible (i.e. safe). Their first study was relatively small, surveying 470 students and faculty at CMU, and resulted in some unfortunate discoveries. Although only 13% surveyed wrote down their passwords to help them remember (implying that the remaining 87% recognized that this was a dangerous habit), 80% admitted to reusing passwords across platforms. This habit is more dangerous than writing down a password separately as it puts the password at a greater risk to hackers.

Recognizing the need for more data to understand how passwords were being used and what put them at risk, they conducted a larger study via Amazon Mechanical Turk and were able to look at the passwords of 5,000 participants. Different participants were given different requirements when building passwords. Some were merely required to create passwords of at least 8 characters (Basic 8), some were required to create complex passwords with the same regulations imposed on the CMU passwords mentioned earlier (Complex 8), and some were not required to employ such complexities, but were forced to create long passwords of at least 16 characters (Basic 16). They found that the vast majority of participants creating passwords in line with the complex 8 used the same symbols (“!” and “@”), making this increased security layer far less effective. And many of the basic 8 passwords used similar or the same words/phrases (popular phrases included: “iloveyou”, “password”, “12345678”, etc.).

The research team took the data a step further and employed the popular hacking method of “hash function” to ascertain which passwords were weak and which were strong. Hackers will often steal a password file which has all of the passwords scrambled, in what is called a hash. They will then guess different combinations and run them through the hash to look for matches. The Basic 8 passwords were, as expected, weak and easy to discover, particularly if they were one of the common iterations mentioned above. Surprisingly though, the complex 8 were no more secure than the longer basic 16, and in many cases users reported the basic 16 as easier to remember and more convenient. This throws into question some of the angling of institutions and corporations online toward highly complex passwords, and suggests a focus on length may be more beneficial.

The team took this finding and, conducting another study, gave participants passwords randomly generated from a computer. Some passwords were long passphrases (i.e. correcthorsebatterystaple; demonstrated in the graphic below), some were short but complex passwords (i.e. >J#tS), and some were longer pronounceable passwords (i.e. vadasabi). Of the randomly generated passwords, users, who came back to enter them later, preferred the pronounceable passwords to both the passphrases and complex passwords. Making these the most “convenient” and memorable, while also maintaining the user’s safety.

Image courtesy of xkcd.com/936

When addressing the question of how to build a password that is in equal parts memorable, convenient, and responsible/safe the research conducted by Craner and her team at CMU leads us first to stray away from the basic 8 password model in favor of something more complex and random. Understanding the hash function method employed by hackers, it is easy to see how the repetitive use of basic passwords could lead to compromised accounts. Consider employing a passphrase or a random pronounceable password next time you are creating a new one.

To give a plug for one of our favorite products here at Lockr, we recommend checking out 1Password, both to manage as well as create more complex, lengthy, multi-character passwords.

As with any of our blog posts, feel free to reach out if you have questions, comments or need an opinion about how to handle something. Twitter, Slack, Linkedin, Email

You can find a full link to Lorrie Faith Craner’s TED talk here.