We’ve all heard the common password advice: Choose a random password with a lot of characters, include digits and symbols, don’t use a dictionary word, don’t write it down and change it often. While some of this advice is useful, some of it is counterproductive and probably even harmful.
Next Friday I will be giving a Game Changer talk at the IAPP Global Privacy Summit in which I will discuss research results—from my own research group at Carnegie Mellon University as well as from others—that demonstrates that what most people thought they knew about passwords is wrong.
Most humans are not very good at memorizing random things, and they don’t enjoy doing it. While we are impressed by the talent of spelling bee champions, most of us would rather not spend our time on rote memorization.
It turns out we’re also not very good at coming up with random things, let alone memorizing them. We like to think of ourselves as unique, but we actually think alike more than we want to admit, and we tend to be rather predictable.
So, when we’re asked to come up with a random password, we do something that seems random to us but is actually what a lot of other people do. We think of some song lyrics, the name of our pet, a cartoon character, a TV show, a sports team or even the name of a friend or family member. Or maybe we trace our fingers on a keyboard and type in a sequence of keys that appear next to each other—maybe diagonally down one column and then up the next, because that seems more random than just going left to right across. If we have to add a symbol, we type an exclamation point at the end. If we have to add a number, it is most likely a 1. And if a capital letter is needed, it goes at the beginning.
And because this was so much work to not only choose, but to remember, and because we know we’re not supposed to write our passwords down, the next time we have to create a password, we just use the same one we already created.
But what happens when you log in and are told that your password has expired and you have to choose a new one? Chances are you increment the 1 to a 2 or add another exclamation point to the end.
Research shows that forcing users to change their password on a regular basis does not actually increase security. In fact, it encourages users to create weaker passwords and increment them according to a predictable scheme. So, not only does password expiration annoy users, it likely makes their passwords more vulnerable to attack.
I’ll present the results of several other password research studies in my talk. Here are a few highlights:
- Long passwords with simple requirements can be easier to use and just as strong as shorter passwords with complex requirements.
- Password meters can encourage users to create stronger passwords, but most password meters used on websites today provide positive feedback prematurely.
- Passphrases seem like a good idea, but users don’t find random passphrases more usable than passwords.
- Monkey is the most popular animal to include in a password and among the most popular words to include in a password.
If you want to comment on this post, you need to login.