We have all heard the advice that in order to protect our information and online accounts we should create and use “complex” passwords that include a mix of upper case and lower case letters, numbers, and special characters. Following such advice, does, in theory, produce passwords that are far more difficult for unauthorized parties to guess or crack with hacking tools than passwords consisting solely of a word lifted from the English dictionary. Reality, however, tells us that while complex passwords provide better security than do most English words on their own, these “strong passwords” create new risks.
First, due to the limitations of human memory, complex passwords are more likely to be written down than English words used as passwords – meaning that utilizing complex passwords increases the risk of passwords being exposed through insecure storage. People who don’t write down their passwords experience another issue – how many times have each of us forgotten a complex password and had to go through a frustrating process to have it reset?
Storing complex passwords in a smartphone app is not a panacea either: password storage apps place numerous pieces of sensitive information in one place – putting “all the eggs in one basket” when it comes to passwords – and must, therefore, be secured with strong security. Properly protecting the app and the data that it stores can make looking up a password become a frustrating process involving entering a long, complex password and waiting for various decryption functions to run. Of course, if such an app were ever infected with malware – or even if the phone running it were ever infected by certain types of advanced malware – the impact on a person using the app to store all of his or her passwords could be devastating.
In addition to the risks created by human memory limitations, there is a major concern about how strong the complex passwords truly are, and how well they stand up to hacking tools. Research shows that the actual security provided by complex passwords is often far less than one would expect based on the password’s theoretical strengths. One major issue with complex passwords was discussed in a paper published last year by a research team from Carnegie Mellon University, which explained that predictable human tendencies often dramatically undermine the strength of complex passwords.
For example, on systems that require that all passwords include characters of both upper and lower cases and at least one digit, a widely disproportionate number of passwords created by English speaking humans will have an upper case character in their first position, followed by lower case characters, which in turn are followed by a single digit. Similarly, the researchers found that when people are required to create long passwords they often simply repeat a short password twice. As a result of these and other expected human behaviors, password cracking systems that leverage an understanding of human tendencies can process expected permutations first, and thereby crack many strong passwords far faster than pure mathematical probability would suggest.
How should you best address these issues?
1. If you must create a complex password of the type mentioned above – do not utilize an expected pattern – place lower case letters, capital letters, numbers, and special characters spread throughout the password.
2. Do not repeat significant sections within passwords.
3. If your system will allow longer passwords, consider using the strategy that I discuss in the article How To Create Strong Passwords That You Can Easily Remember which will allow you to create strong passwords that are far easier to remember than a sequence of random characters.