Sign In

Communications of the ACM

ACM TechNews

You've Been Misled About What Makes a Good Password

View as: Print Mobile App Share:
Passwords are widely relied on for authentication but are frequently leaked online or implemented poorly.

A study by Symantec researchers has found that longer passwords, and those including symbols, are more effective.

Credit: Aisha Franz

Symantec researchers recently conducted a study testing state-of-the-art password-guessing techniques and found requiring numbers and uppercase characters in passwords does not do much to make them stronger. The researchers found making a password longer or including symbols was much more effective.

Modern password guessing software is trained using leaked lists of millions of passwords to make guesses that try the passwords most commonly used first. The researchers developed a new way to measure the strength of a password that accounts for this technology. They trained attack software, used it to generate lists of passwords, and developed a way to use those to assign a "guessability" score to any given password.

The results show making a password longer or adding symbols, instead of adding uppercase characters or numbers, is a better way to make it stronger because users tend to add uppercase characters at the start of passwords and numbers at the end, and conventional password-attacking methods can take advantage of that, according to Symantec researcher Matteo Dell'Amico. He says their method could be used to help people get a sense of the strength of a password.

From Technology Review
View Full Article


Abstracts Copyright © 2015 Information Inc., Bethesda, Maryland, USA


No entries found

Sign In for Full Access
» Forgot Password? » Create an ACM Web Account