By Joseph Steinberg for Forbes

If you have followed the advice of “experts” and created long passwords containing letters, numbers, and symbols in order to keep your online banking account protected and your data secure you may be in for an unpleasant surprise.

A new paper built on five years of research by a team led by three professors from Carnegie Mellon University, and which will be presented tomorrow at the Human Computer Interaction conference in Korea, shows how long, “complex” passwords can often be far more easily and quickly cracked than most people would tend to believe.

Like most password vulnerabilities, the core problems that the Carnegie Mellon team describes stem from human weaknesses and the relative predictability of human behavior; as a result of our limited minds, people often create passwords in ways that make them far weaker than mathematics would suggest.

In a previous article I discussed how many common recommendations about passwords actually undermine security because they don’t account for limitations of human memory; the Carnegie Mellon study delves even deeper.

One key finding that the team confirmed (through research on groups of people asked to create passwords with all sorts of technical requirements and then recall them days later) was that when people are told that a password must include both letters and a minimum of one number, they typically create a password with all characters but one being letters and place the number at the end of the password. Mathematically speaking, the regularity of such a scheme dramatically lowers the number of possibilities that hacking engines would need to guess in order to crack a password with brute force. While certainly not all passwords follow such a model, a criminal utilizing an engine that leverages knowledge of such a human predictability is likely to successfully breach many accounts far faster than one who does not.

The study also found that when password requirements demanded a minimum length of 16 characters, people tended to repeat words within their passwords – curtailing by orders of magnitude the effort that a hacking engine armed with knowledge of human behavior would need to make in order to compromise many accounts. (Some people obviously repeat words within passwords of lengths less than 16 characters, but, at 16 characters a consistent pattern of this problem emerges.)

Serious vulnerabilities were also discovered via semantic analysis. For example, by reviewing a large corpus of English language data – the Carnegie Mellon team used the content of Wikipedia, song lyrics, Google’s corpus of bigrams and trigrams, a baby names dictionary, and a pet names dictionary among others – educated predictions can be made about what characters and words follow one another within a password or passphrase. A passphrase that begins “mybonnielies” is going to continue “overtheocean” far more often that raw mathematical probability would suggest. This issue applies to passwords as well; to illustrate with a simple example (the example is from me, not from the study), consider that if the first eight characters of an alphanumeric password are “BarackOb,” the real-world odds that the next three are “ama” are far higher than their theoretical odds of 1 in 238,328.

Leveraging knowledge of the aforementioned weaknesses and many others described in the paper, the Carnegie Mellon team created a password guessing engine, and a system for rating passwords based on how difficult they are to guess. Not surprisingly, many longer passwords are far easier to guess than shorter ones. The engine was tested in an actual password cracking competition at DEFCON; it came in first.

I spoke with Prof. Cranor who told me that she hopes that eventually password-strength meters displayed at the time of password creation will leverage intelligence of human weaknesses; the Carnegie Mellon team is actually building such technology, which it plans to release as open source.

In the meantime, here is some practical advice based on what Prof. Cranor mentioned to me when we spoke:

The Carnegie Mellon study confirmed that when special characters are required within passwords they are disproportionately placed by people at the start or end of passwords – so, if you create a password containing symbols put them somewhere else within the password. If you are establishing a password policy for a sensitive system that needs a complex password require these characters to appear somewhere other than at the ends of the password. Be careful, however, not to force users to remember too complex a password so as not to increase the risk of people writing them down in insecure locations, and understand that requiring people to place a special character in the middle of their passwords may make them far more frustrated with the password policy than if they were allowed to position the symbols at the beginning or end. Please see my earlier article for other warnings in this regard.

Consider what the “highest probability characters” are as you create a password – and don’t use them; leveraging our prior example, from a practical standpoint “BarackObQ9h” is going to be far harder to crack than “BarackObama.”

Don’t create overly strong passwords when they are not needed, if by doing so you will make yourself unable to remember the important passwords. Using a long, complex password on one or two especially sensitive sites might be a good idea, but applying such a scheme to any significant number of passwords is likely to lead to people inappropriately reusing passwords, writing down passwords, and choosing passwords with poor randomization – any of which can seriously undermine security. Remember this as well if you are establishing password policies for your organization.

Comment