People Understand How to Make Good Passwords, But Still Don't
Turns out people have a pretty good idea of what makes a good password, but they still make terrible ones.
Do you know what makes a good password?
Judging by the passwords leaked as part of the constant stream of daily data breaches, neither you nor anyone of us really do, as we all keep using the same old awful passwords, such as "123456" or—gulp—"password."
Yet, as it turns out, people are generally pretty good, or at least better than expected, at judging what makes a good password, according to a study published this week. That's the good news. The bad news is that even though people have a decent sense of what are the best strategies to generate good passwords, they still have fatal misconceptions and don't understand how hackers can guess or find out their passwords.
"They understand that this password is stronger than that password, as a rule, but they don't know how strong is strong enough," Lujo Bauer, a professor in Carnegie Mellon's Department of Electrical and Computer Engineering, and one of the authors of the study, told Motherboard.
The study asked 165 participants to pick which one of two similar passwords, say "p@ssw0rd" and "pAsswOrd," or "ieatkale88" and "iloveyou88," was more secure. The researchers also showed the participants real passwords from a data breach, asking them to rate how secure and memorable they were.
"They understand that this password is stronger than that password, as a rule, but they don't know how strong is strong enough."
Participants also had to rate the best common strategies to make passwords; say, avoiding words that could be linked to their identity, or using capital letters in the middle of the word, rather than at the beginning. Finally, the participants had to describe how to make good passwords, and how they thought someone could guess or crack their password, and who that person could be.
In case you're wondering, pAsswOrd is better than p@ssw0rd because it's way more common to substitute letters with symbols than use capital letters in the middle of a word. And ieatkale88 is better than iloveyou88 because the word "love" and phrases containing it are very common. Neither of these are great passwords per se, by the way, since they're too short.
But the biggest problem is that people don't understand how passwords can be attacked, according to the researchers.
One method, of course, is to guess them by trying all possible combinations of characters, numbers and symbols with cracking software which has been taught to use certain techniques (numbers at the end) and words (love, for example) that are common in passwords. This kind of attack doesn't usually work online, at least on services that adopt best practices like Google and Facebook, which lock the account after a few tries.
But there are also offline attacks, where hackers get a big database of passwords, which are sometimes encrypted. In this case, cybercriminals have all the time, and guesses, they want to obtain the real password. At that point, they can try to reuse them on other accounts.
"We ask people to make a password that attackers won't guess, but many participants had no real idea of what that would mean," Blase Ur, another co-author of the study, told Motherboard.
"Don't blame end users for bad passwords."
The root of these problems is that people haven't been taught how to make good passwords. Many services give some feedback to users when they create accounts, but it's incomplete or limited. And the many password meters online that try to teach users about passwords (ahem, CNBC) usually are misleading.
"Right now we're giving users bad instructions about how to create passwords, we're giving them poor feedback about whether their password is good, and then we're surprised when they create poor passwords," Bauer said.
Ur intoned a mea culpa in the name of systems designers, exonerating users. The blame, he said, resides in the "very abstract advice" given to users, which has led them to think digits and symbols by themselves make a password secure, and that words that aren't in the dictionary, such as random keyboard patterns are secure. Both are not.
Per Thorsheim, the founder of the Password conference, agreed.
"Don't blame end users for bad passwords," he told me.
You can test your own knowledge of password security in this brief quiz that the researcher and Nature put together. And remember, our brains are actually good at remembering long, impossible to guess passwords. We can do better than this.