How to build a better password: Be less predictable

By  

This is not a big step forward in terms of security, especially since fraudsters know very well – probably better than anyone – what kind of passwords people choose. If we demand upper case characters in passwords, almost everybody will capitalize the first letter. If we demand a numeral, the number “1” is almost three times more likely than the number “9”, and “3456” is more than ten times as common as “4321”. Similarly, the “special” characters people use are far from special when you look at which ones are used and where they are placed in the password. Therefore, traditional password strength checkers create a false sense of security, since they count characters but fail to look at likelihoods.

Users are not entirely to blame. The industry is giving a false sense of security with the way they use password checkers. Instead of counting upper case and lower case characters, demanding numerals and special characters, password strength checkers should understand passwords – and refuse passwords that are too predictable. And this can be done! In a recent paper I wrote with my student, Mayank Dhiman, we showed how password strength checkers could parse passwords, breaking them into components, then scoring the components based on their commonality, and computing a score for the password based on the scores of its components.

It is time to teach users how to be less predictable.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Ask a Question
randomness