One problem with many passwords is that they flag all security checks, but are still easy to guess. Because most of us follow the same patterns
Researchers at the Carnegie Mellon University of America said that the requirements they recommend to make your password stronger when you create a new account password are different from familiar rules such as using uppercase letters, numbers, and special characters.
Lori Cranor, director of CyLab’s Security and Privacy Lab at Carnegie Mellon University, said her team has a better way, which is a metric that websites can use to prompt you to generate more secure passwords.
After the user creates a password of at least 10 characters, the meter will offer suggestions, such as dividing common words with slashes or random letters, to make the password stronger.
The suggestions set the password strength meter apart from other known patterns, which measure the strength of a password and often use colors to determine a password’s strength. The suggestions come from the new scale after noticing common mistakes when people set up passwords during the tester experiments.
The lab found that one of the problems with many passwords is that they flag all security checks, but they’re still easy to guess because most of us follow the same patterns. You might add a “1” at the end, or you could put capital letters at the beginning of the password and special characters like exclamation marks.
The Mellon University password meter will provide password strengthening tips such as “ILoveYou2!”, Which meets the standard requirements, and the meter also provides other advice based on what you type, such as reminding you not to use a name or suggesting to place special characters in the middle of your password.
“It’s closely related to what you’re doing, and it’s not random advice,” Cranor said of the advice.
In one experiment, users created passwords on a system that asked them to enter 10 characters. The system evaluated the passwords using a tester’s password strength meter and provided personalized suggestions for stronger passwords.
The test subjects were able to create secure passwords that they could remember after 5 days, and it worked better than showing users pre-prepared rule lists or simply blocking known bad passwords.
Cranor and co-authors will present their latest passwords results, on Thursday, at the virtual ACM conference on computer and communication security. The team hopes future website makers will adopt its tools.
Meanwhile, Cranor says the best way to create secure passwords and remember them is to use a password manager. Such programs have not been widely adopted and come with some trade-offs. However, they allow you to create a random and unique password for each account, and it also remembers your passwords for you.