This pa$$w0rd is not very secure: CMU studies reveal best and worst in passwords
May 4, 2015 3:39 PM
Paul Sakuma/Associated Press
Systems increasingly demand a mixture of letters, numbers, punctuation and capitalization for passwords.
By Rich Lord / Pittsburgh Post-Gazette
The perfect password would be both unpredictable and memorable, but that’s a tough combination, said Lorrie Faith Cranor, director of Carnegie Mellon University's CyLab Usable Privacy and Security Laboratory.
As a leading researcher on passwords, she’s seen thousands of them, and they’re rarely as clever as their creators imagined.
How about 1qaz2wsx? Sorry, that diagonal march down the left side of the keyboard is well known to hackers, who have programs that spit out the most common passwords and test systems machine-gun style.
And if the hacker wants you specifically, they’ll check your social media for, say, the names of your pets.
CyLab student Blase Ur last month traveled to Seoul, South Korea, to present the lab’s most recent paper on passwords. The bottom line: “Random is best, but random is hard to remember,” so it’s important to find the right balance, Ms. Cranor said. “We’ve been looking at what are the ways that you can actually make passwords stronger without actually driving users crazy.”
So what’s good?
Long passwords — 12 characters or more — are much harder to predict than short ones, regardless of their composition, said Ms. Cranor.
Systems increasingly demand a mixture of letters, numbers, punctuation and capitalization.
That’s more secure, but can be far better if the capital letters are not at the beginning and the punctuation is not at the end, she said. If you always capitalize, say, the third letter in your passwords, that quirk can improve security while remaining memorable.
CMU’s studies indicate that exclamation points are the most popular password punctuation, so anything else would probably be better.
Beyond the obvious dumb passwords — 12345678, iloveyou, pa$$w0rd — Ms. Cranor advised to avoid your mother’s maiden name, children’s names or birthdays, or other easily identifiable trivia from your well-documented life. Random words strung together would be better than common phrases.
“Song lyrics?” she said. “Not such a good idea.”
Rich Lord: email@example.com, 412-263-1542 or on Twitter @richelord.
To report inappropriate comments, abuse and/or repeat offenders, please send an email to
firstname.lastname@example.org and include a link to the article and a copy of the comment. Your report will be reviewed in a timely manner.