CMU studies reveal best and worst methods to creating a password.
The perfect password would be both unpredictable and memorable, but that’s a tough combination, said Lorrie Faith Cranor, director of Carnegie Mellon University’s CyLab Usable Privacy and Security Laboratory.
As a leading researcher on passwords, she has seen thousands of them, and they’re rarely as clever as their creators imagined.
How about 1qaz2wsx? Sorry, that diagonal march down the left side of the keyboard is well known to hackers, who have programs that spit out the most common passwords and test systems, machinegun style.
And if the hacker wants you specifically, they’ll check your social media for, say, the names of your pets.
CyLab student Blase Ur last month traveled to Seoul, South Korea, to present the lab’s most recent paper on passwords. The bottom line: “Random is best, but random is hard to remember,” so it’s important to find the right balance, Ms. Cranor said. “We’ve been looking at what are the ways that you can actually make passwords stronger without actually driving users crazy.” So what works? Long passwords — 12 characters or more — are much harder to predict than short ones, regardless of their composition, said Ms. Cranor.
Systems increasingly demand a mixture of letters, numbers, punctuation and capitalization.
That’s more secure, but can be far better if the capital letters are not at the beginning and the punctuation is not at the end, she said. If you always capitalize, say, the third letter in your passwords, that quirk can improve security while remaining memorable.
CMU’s studies indicate that exclamation points are the most popular password punctuation, so anything else would probably be better.
Beyond the obvious dumb passwords — 12345678, iloveyou, pa$$w0rd — Ms. Cranor advised to avoid your mother’s maiden name, children’s names or birthdays, or other easily identifiable trivia from your well-documented life. Random words strung together would be better than common phrases.
“Song lyrics?” she said. “Not such a good idea.”