Researchers from Carnegie Mellon University and the University of Chicago have created a new password meter that offers real time feedback and advice on how to make a secure password.
A simple google search could show you the top 10 most common passwords, with the most popular including ‘123456’ and ‘qwertyuiop’. Passwords, most of the time, are 50% of the credentials between you and all your details: be that financial information like your Amazon account, or personal details lie Facebook.
Simple passwords are easy to guess or make guestimations of what they could be, and sadly, attackers can even guess passwords by exploiting patterns. They observe large datasheets of breached passwords and common modifications: changing E’s to 3’s would not fool an attacker for example.
When inputting passwords, most sites would only show a gauge that states that a password is weak. No existing meters offer any good advice on password building, whereas, the CMU and UoC research shows the meter offers guidance on why it is bad and how to improve your password choice.
The meter detects characteristics in your password that it knows attackers may guess, such as the E to 3, and it will tell you. The password meter employs an ‘artificial neural network’ that resembles how the neurons behave in the human brain. It ‘learns’ information by scanning millions of existing passwords and identifying trends. They believe that it will change how users make passwords.
The research evaluated the performance of an online study where they asked 4509 people how to create a password. It showed that the new meter led users to create stronger passwords that were no harder to remember that the passwords created without the feedback.
What this research is suggesting is that it is not for lack of tools that is the problem, but actually getting users to understand the need to use complex passwords. This new meter would force users to use complex passwords of a certain length or arrangement, and alert them as to why a complicated password is essential in protecting personal data.
We ask Mark James, ESET IT Security Specialist, about the effectiveness of password ‘meters’ like this.
“The problem with passwords is not necessarily the length or the complexity.
“For passwords to be effective, we need to remember them or have a means to remember them, like password managers, and to also ensure they are unique.
“The two biggest problems are reusing the same password on multiple sites, or easy to guess passwords.
“Often the end user is so focussed on providing a complex unique difficult password with letters both upper and lower along with other hard to remember characters that they “make life easy” by taking shortcuts.
“End users need to be educated on how to construct unique passwords from phrases or statements they are already familiar with, making small adjustments to suit the website and enabling them to reuse the base phrase with different modifiers.
“One of the fundamentals of effective security, as in most aspects of life, if we understand why and can place the importance of what we do, then we are much more likely to embrace and continue to use that information to better deal with the task at hand.”
Would you like to see this kind of system used more widely? Let us know on Twitter @ESETUK.
Join the ESET UK LinkedIn Group and stay up to date with the blog. If you are interested in seeing where ESET has been featured in the news then check out our ‘In the news’ section.