Twenty years ago, one of the biggest security concerns was that a colleague would learn your password from the post-it note you put on your screen. The solution was simple: Don’t write your passwords down! That was good advice, and most people could easily remember the two or three passwords that they needed.
Since then, security threats have evolved beyond recognition, but our capacity to remember passwords has remained unchanged. We are still able to remember just two or three passwords, and most people choose relatively short and rather predictable passwords in order to be able to recall them.
Password managers address this problem, but come with their own problems. What if malware breaks in and steals all the passwords? And what do you do – practically speaking – when you have a new or borrowed device?
This begs the question: How can we build a better password?
First of all, we should revisit the advice from the 1990s. Today, the typical adversary is not a colleague looking over your shoulder, but a faceless hacker thousands of miles away. Writing passwords down on pieces of paper may not be such a bad idea – although we still don’t recommend sticking them to your screen. This makes particular sense as the number of passwords grows.
To add an additional layer of security to your password cheat sheet, you can make all passwords be composed of two parts. One that you memorize – this part is the same for all your passwords within a given category – and one that you write down – this is unique. Using this method, anybody can manage hundreds of passwords while still only having to remember two or three things.
Second, we need to make passwords stronger. When users are forced to include both upper case and lower case, as well as numerals and special characters, what do they do? They meet those requirements in the ways that are easiest for them to remember. So instead of using passwords like “password” or “secure,” they use “Password1!” and “Secure1!”.
This is not a big step forward in terms of security, especially since fraudsters know very well – probably better than anyone – what kind of passwords people choose. If we demand upper case characters in passwords, almost everybody will capitalize the first letter. If we demand a numeral, the number “1” is almost three times more likely than the number “9”, and “3456” is more than ten times as common as “4321”. Similarly, the “special” characters people use are far from special when you look at which ones are used and where they are placed in the password. Therefore, traditional password strength checkers create a false sense of security, since they count characters but fail to look at likelihoods.
Users are not entirely to blame. The industry is giving a false sense of security with the way they use password checkers. Instead of counting upper case and lower case characters, demanding numerals and special characters, password strength checkers should understand passwords – and refuse passwords that are too predictable. And this can be done! In a recent paper I wrote with my student, Mayank Dhiman, we showed how password strength checkers could parse passwords, breaking them into components, then scoring the components based on their commonality, and computing a score for the password based on the scores of its components.
It is time to teach users how to be less predictable.