Password length is more beneficial than complexity
August 30, 2012 4:00 AM
By Deborah M. Todd Pittsburgh Post-Gazette
In a time before user names became online alter egos, the concept of a password implied a degree of exclusivity. Knowing the magic phrase that opened doors for social clubs or childhood spy games made you unique, put you one step ahead of those who couldn't get past the gatekeepers.
Today, in a world where passwords are the Internet's virtual keys and the average user has the equivalent of a janitor's key ring, the term brings to mind something a lot more accessible and a lot less fun: toilets.
A recent study found 38 percent of respondents would rather clean a toilet than be forced to create a new user name or password for a site. The 2012 Online Registration and Password Study, conducted by Portland, Ore.-based login company Janrain and by Harris Interactive, found 58 percent of respondents had five or more unique passwords, 30 percent had 10 or more and 8 percent had at least 21.
Who could blame them for dreading the idea of creating even more?/p>
Fortunately, new research out of Carnegie Mellon University's CyLab Usable Privacy and Security Laboratory, or CUPS, shows that users might benefit more from using longer passwords than from coming up with shorter passwords that meet laundry lists of complex requirements.
Early findings of the study show that users told to create complex passwords give up pretty easily. Most will either add a special character (a number or symbol such as • ) to the beginning or end of the original password; will reuse a password that is active on another site; or will just write down the complex term, giving anyone who finds the paper access to an account.
One solution that seemed to be helpful was requiring users to have passwords beyond the standard eight characters, CUPS director Lorrie Cranor said.
Participants who were instructed to create passwords that were at least 16 characters long created codes that were considerably stronger and easier to remember than those created by participants told to make complex eight-character passwords.
The study of more than 5,000 participants was conducted using Amazon's Mechanical Turk crowd-sourcing service in conjunction with the Gaithersburg, Md.-based National Institute of Standards and Technology.
Ms. Cranor said CUPS researchers are currently studying the effectiveness of passwords with more than 16 characters, but she said they may have already found the sweet spot for users.
"I have a hunch that it will be somewhere around 16 characters with some complexity, but not as much complexity as some companies have now," she said.
Another feature that Ms. Cranor said was helpful was the inclusion of a password meter to measure effectiveness. However, she said, the meters need to have settings that force users to go beyond using ZIP codes, birthdays or other personal information in order to create legitimately strong passwords.
"If you make [users] work harder before telling them it's good, they will work harder," she said.
The right meter may force someone into a safer password, yet multiple studies show that, even with meters, users tend to gravitate toward generic, unimaginative passwords that have been proven hackable.
The 2010 Consumer Password Worst Practices White Paper, conducted by Redwood Shores, Calif.-based Imperva, studied a breach of 32 million passwords hacked from social gaming site RockYou.com in 2009. Nearly half of the millions of passwords hacked included dictionary or slang words, with the most popular being "123456."
According to the study, not much had changed from a major breach of Hotmail passwords that took place more than a decade ago.
Improving consumer password habits once and for all doesn't have to be as complicated as one might think, said Rob Rachwald, Imperva's director of security, who helped to write the paper.
The study suggests that users abide by NASA's benchmark password standards that include having at least eight characters, but even NASA has upgraded to require a minimum of 12 characters. To make it easier to remember the lengthy passwords, Mr. Rachwald offered renowned security expert Bruce Schneier's idea of turning a sentence into one word. The study's example turns "This little piggy went to market" to "tlpWENT2m."
Beyond personal protection, Mr. Rachwald said consumers should ensure that the sites they use are properly encrypting stored passwords. He noted that a breach of employment networking site LinkedIn occurred because the company encrypted but didn't "salt," or assign random characters, to the password data it saved.
Ed Barrett, vice president of marketing and channel sales for Cedar Rapids, Iowa-based security company SecurityCoverage, said management programs such as its Password Genie product can help users keep track of passwords on multiple accounts.
The program allows users to access all passwords, pin numbers, credit card numbers and other critical information through a secure server. The program automatically enters a user's login and password information for sites it has saved through the program, and all can be accessed through a single user name and 14-character-or-more password.
Mr. Barrett claimed there should be little concern for a breach. Between anti-virus protection, online backup tools and industrial-strength Secure Sockets Layer protection that encrypts all data sent by users, even the company's employees can't see what's stored inside individual accounts.
"If somebody called and said they need their login information and password, we couldn't tell them," he said.
Mr. Barrett said the user's only recourse would be to create a new user name and password to recover the database of stored passwords, but he said that's better than trying to remember dozens of different passwords.
And that single password to unlock them all doesn't appear to have to be as concise or as complex as once thought.
"Hopefully, it makes [creating passwords] a lot less like cleaning a toilet," Mr. Barrett said.