Source: Technology Review
Common advice on how to make a strong password is misleading, according to a new study of password-guessing techniques.
WHY IT MATTERS: Passwords are widely relied on for authentication but are frequently leaked online or implemented poorly.
“Password must include upper and lowercase letters, and at least one numeric character.” A common scold dished out by websites or software when you open an account or change a password—and one that new research suggests is misleading.
A study that tested state-of-the-art password-guessing techniques found that requiring numbers and uppercase characters in passwords doesn’t do much to make them stronger. Making a password longer or including symbols was much more effective.
“Attacks are more sophisticated now, and those best practice countermeasures are a little bit out of sync,” says Matteo Dell’Amico, a researcher at Symantec Research. He worked with Maurizio Filippone at the French research institute Eurecom. The pair presented a paper on their work at the ACM Computer and Communications Security conference last week. Read the rest of this entry »