Saturday, July 05, 2025, 7:01PM | 
MENU
Advertisement
Systems increasingly demand a mixture of letters, numbers, punctuation and capitalization for passwords.
1
MORE

This pa$$w0rd is not very secure: CMU studies reveal best and worst in passwords

Paul Sakuma/Associated Press

This pa$$w0rd is not very secure: CMU studies reveal best and worst in passwords

The perfect password would be both unpredictable and memorable, but that’s a tough combination, said Lorrie Faith Cranor, director of Carnegie Mellon University's CyLab Usable Privacy and Security Laboratory.

As a leading researcher on passwords, she’s seen thousands of them, and they’re rarely as clever as their creators imagined.

How about 1qaz2wsx? Sorry, that diagonal march down the left side of the keyboard is well known to hackers, who have programs that spit out the most common passwords and test systems machine-gun style.

Advertisement

And if the hacker wants you specifically, they’ll check your social media for, say, the names of your pets.

Surveillance Society: An index to continuing coverage
Pittsburgh Post-Gazette
Surveillance Society: An index to continuing coverage

CyLab student Blase Ur last month traveled to Seoul, South Korea, to present the lab’s most recent paper on passwords. The bottom line: “Random is best, but random is hard to remember,” so it’s important to find the right balance, Ms. Cranor said. “We’ve been looking at what are the ways that you can actually make passwords stronger without actually driving users crazy.”

So what’s good?

Long passwords — 12 characters or more — are much harder to predict than short ones, regardless of their composition, said Ms. Cranor.

Advertisement

Systems increasingly demand a mixture of letters, numbers, punctuation and capitalization.

That’s more secure, but can be far better if the capital letters are not at the beginning and the punctuation is not at the end, she said. If you always capitalize, say, the third letter in your passwords, that quirk can improve security while remaining memorable.

CMU’s studies indicate that exclamation points are the most popular password punctuation, so anything else would probably be better.

Beyond the obvious dumb passwords — 12345678, iloveyou, pa$$w0rd — Ms. Cranor advised to avoid your mother’s maiden name, children’s names or birthdays, or other easily identifiable trivia from your well-documented life. Random words strung together would be better than common phrases.

Technologists wonder whether using fingerprints, faces or devices to log in would help or hurt the cause of data security and privacy.
Rich Lord
If passwords can’t protect your account, can fingerprints do the trick?

“Song lyrics?” she said. “Not such a good idea.”

Rich Lord: rlord@post-gazette.com, 412-263-1542 or on Twitter @richelord.

First Published: May 4, 2015, 7:39 p.m.

RELATED
Political campaigns down to the state House level are targeting voters via social media based on information collected by social media companies and Big Data firms.
Rich Lord and Chris Potter
Political campaigns rely on social media data to target voters
Beyond memory, introducing new ingredients into the current password stew can only increase variety and hamper hacking attempts, according to one expert.
Deborah M. Todd
Can emoji passwords confuse hackers?
SHOW COMMENTS (0)  
Join the Conversation
Commenting policy | How to Report Abuse
If you would like your comment to be considered for a published letter to the editor, please send it to letters@post-gazette.com. Letters must be under 250 words and may be edited for length and clarity.
Partners
Advertisement
Dennis Santana of the Pittsburgh Pirates pitches in the ninth inning against the Cincinnati Reds during the game at PNC Park on May 21, 2025 in Pittsburgh, Pennsylvania.
1
sports
Pirates trade rumors: What the Post-Gazette is hearing as MLB’s deadline approaches
Students walk across the campus of the Community College of Beaver County in Center Township on Wednesday, Feb. 14, 2024.
2
news
Congress wrestled over Pell Grants in the big bill. These Pittsburgh-area colleges have the most Pell-eligible students.
Anti-ICE protesters in downtown San Antonio recently. Adriana Ramirez wonders if she leave America now, before she gets deported for getting arrested as a 19-year-old.
3
opinion
Adriana E. Ramírez: Maybe we should leave before I get deported
The Washington Wild Things and the Joliet Slammers play before a crowd of 1,500 people. The team offers several promotions to draw fans, including $1 beer nights and free tickets for people over 50.
4
business
Small ball? Pittsburgh's other professional baseball team isn't afraid to take shots over the bow
Edmonton Oilers head coach Todd Nelson watches his players during the third period of an NHL hockey game against the Minnesota Wild in St. Paul, Minn., Tuesday, Feb. 24, 2015. The Oilers won 2-1.
5
sports
Todd Nelson is surprised he joined the Penguins, too, but the coach is excited to be back
Systems increasingly demand a mixture of letters, numbers, punctuation and capitalization for passwords.  (Paul Sakuma/Associated Press)
Paul Sakuma/Associated Press
Advertisement
LATEST business
Advertisement
TOP
Email a Story