You’ve Been Misled About What Makes a Good Password

21. October 2015

Date: 21-10-2015
Source: Technology Review

Common advice on how to make a strong password is misleading, according to a new study of password-guessing techniques.

WHY IT MATTERS: Passwords are widely relied on for authentication but are frequently leaked online or implemented poorly.

“Password must include upper and lowercase letters, and at least one numeric character.” A common scold dished out by websites or software when you open an account or change a password—and one that new research suggests is misleading.

A study that tested state-of-the-art password-guessing techniques found that requiring numbers and uppercase characters in passwords doesn’t do much to make them stronger. Making a password longer or including symbols was much more effective.

“Attacks are more sophisticated now, and those best practice countermeasures are a little bit out of sync,” says Matteo Dell’Amico, a researcher at Symantec Research. He worked with Maurizio Filippone at the French research institute Eurecom. The pair presented a paper on their work at the ACM Computer and Communications Security conference last week. Read the rest of this entry »