Can you spot a strong password?

Security sophisticates tend to be plenty cynical about “typical users” – especially when it comes to choosing strong passwords. But, according to computer security researchers at CyLab, Carnegie Mellon’s Security and Privacy Institute, ordinary users aren’t quite as dumb as advertised. And their misunderstandings fall into just four specific categories. That’s actually a pretty manageable amount of education.

CyLab’s methodology: show people pairs of passwords, and ask, which is more secure? Then, correlate their answers with the actual performance of today’s most common approaches to password cracking. Overall, out of 75 pairs, participants averaged 59 right. That’s 79%: practically a “B.”

Granted, CyLab’s 165-user sample might be slightly more technical than your average bears: they were recruited online via Amazon’s Mechanical Turk system. And CyLab isn’t saying they do all this good stuff – just that they know they should. But still… these results aren’t terrible.

CyLab’s respondents knew passwords are more secure when you:

  • Capitalize the middle of words rather than the beginning
  • Place digits and symbols in the middle rather than the end
  • Use random digit sequences instead of obvious ones, like years
  • Choose words other than common first names
  • Avoid words that are personal to you, like your child’s name
  • Avoid words that are obviously related to the site or account you’re trying to protect

Of course, they still got 21% wrong. That leaves plenty of holes for crackers to climb through. So, what were their big misconceptions?

  1. Participants thought that adding digits makes a password more secure than using only letters. Nope: crackers know that users often stick numbers at the end, so “brooklynqy” is more secure than “brooklyn16.”
  2. Participants thought merely swapping in digits made passwords far more secure. Nope: Password crackers “exploit users’ tendency to make predictable substitutions,” so “punk4life” isn’t stronger than “punkforlife.”
  3. Participants overestimated the security of keyboard patterns. Nope again: Today’s password crackers quickly search common keyboard patterns like “qwertyuiop,” as well as other common patterns – not only words.
  4. Participants misjudged the popularity of particular words and phrases. According to CyLab, for example, users thought “ieatkale88” and “iloveyou88” were equally secure. Not so: password crackers require a billion times more guesses to compromise “ilovekale.” It’s often more secure to choose a single rare word than a phrase incorporating “iloveyou” or “ilove.” Love-infused passwords are ridiculously common… which is actually sort of sweet if you’re not responsible for site security.

What might help users overcome flawed password strategies? According to the study’s authors:

A promising direction to help users better evaluate their passwords relative to common practices is through targeted, data-driven feedback during password creation. Current password-strength meters only tell users if a password is weak or strong, not why.

Future work in this area could build on a recent study that showed users likely “autocompletions” of the partial password they had typed… [and] could build on research using motivational statements or peer pressure to ‘nudge’ users to create stronger passwords.

You could also watch our short video on how to pick a proper password:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)