What Are Password Rules and How to Follow Them Safely?

There are a lot of guidelines and good practices that can help you create a better password. However, a research team the Carnegie Mellon University, led by professor Lorrie Cranor, is challenging and redefining some of them.

Ms. Cranor's team has developed a password security meter, similar to those employed by a great number of websites today. However, Cranor argues that those current implementations have rules in place but don't enforce them in a meaningful way. For example, password length and a mix of letters, numbers and symbols might be a requirement. However, a password like '$chrys4nth3mum$' may check all the required boxes on a current password checker and still be pretty weak.

What does the meter do?

Cranor's meter is equipped with a suggestions algorithm that can offer alternatives to passwords as users type them and attempts to teach them and help them understand why simply shoving a '1' at the end of a regular word you use as a password is not a good idea. Similarly, mixing upper case and regular case letters in the same string should be more than simply capitalizing the first letter of a word you use in your password.

The university's security lab, under Cranor's supervision, conducted tests using a number of participants who created their own passwords using suggestions provided by the security meter. Users were given one single fixed rule - to create a password that is at least 10 characters in length. From this point on, the meter's algorithm started offering dynamic suggestions to improve typed passwords dynamically.

What can you learn from the meter?

While the meter developed by Cranor's team has not been implemented in any live services just yet, there is a lot regular users can learn from it. It's important to remember that using any regular dictionary word as your password and simply putting a letter in front and a symbol at the back of the string is not a great idea.

Password brute forcing often relies heavily on preset dictionaries and current computational power allows a brute-force tool to go through absurdly high amounts of brute-force attempts each second.

Additionally, it's important to intersperse symbols and numbers in-between the password string and not just group them in one end of the string.

November 17, 2020

Leave a Reply