Join any website as a new member and often you are prompted–sometimes forced–to create a complicated password that uses at least an upper and lowercase letter, and one numeric character. Others seem like they want you to include the most ridiculous elements, all for the sake of maximum security. Even with frequent and prolific hacks and cyberterrorism, it sometimes feels like the airport terminal security line of making passwords.
But a new study shows it’s not just the content, but the size that matters.
According to Matteo Dell’Amico, currrent countermeasures are “a bit out of sync” now that cyberattacks are more sophisticated. Dell’Amico, a researcher at Symantec Research, along with with Maurizio Filippone, worked at the French research institute Eurecom and presented a paper of their work at the ACM Computer and Communications Security conference last week.
Hacks have leaked millions of passwords to “blackhat” hackers, hackers who use cyberattacks for personal gain. These hackers have found patterns that help aid password guessing software, and have found ways past improperly encrypted passwords. In response, Dell’Amico and Filippone have trained attack software to generate lists of passwords and assign “guessability” scores to see what kinds of passwords are stronger against attacks.
What the results show is that longer passwords, along with adding symbols, is far stronger than uppercase and lowercase letters and number characters. Using words and numbers makes users susceptible to creating passwords that use names, things and places along with numbers like birth dates and even your typical “1, 2, 3, 4, 5″s. Using length and symbols adds unpredictability. Though Mark Burnett, a security researcher, points out: “Passwords are getting longer and longer and we’re getting to the point where they’re going to lose their usefulness.”
So will we need to write small diatribes or poems to make passwords effective? Let us know what you think in the comments below.