Passwords. Hate them or hate them, they just won’t die. Let’s be honest, nobody loves passwords; at best, they are a necessary evil, at worst, the weak link through which criminal attackers and law enforcement can access your data. Despite the best efforts of major technology companies to replace them with passkeys, the humble password remains with us. Yet, infostealer malware has compromised hundreds of millions of the credentials, attackers continually find new ways to trick you into handing them over, and now even recommended methods of creating strong and secure passwords are being proven to be less than optimal in the face of new research. Here’s what you need to know and do.
Creating ‘Strong Enough’ Passwords Advice Shot To Pieces
Over the years, there have been plenty of people trying to convince you that they know how to create perfect passwords. Most have been proven wrong. The use of 3,600 smiley face emojis was never going to solve the secure password problem, let’s face it. As Akhil Mittal, senior security consulting manager at Black Duck, said, “every few years, a so-called ‘fix’ for passwords emerges — longer passphrases, image-based logins and now emoji passwords.” In the real world, they all fall at the hurdle of predictability, reuse, and human error. But what about the secure password creation methods that are supported by the likes of the U.K. National Cyber Security Centre, for example? “Combine three random words to create a password that’s long enough and strong enough,” the NCSC said, the argument being that doing so will create passwords that are easy to remember but strong enough to keep the cybercriminals out. That advice, it seems, is now shot to pieces by new research.
Oh, The Irony — Law Enforcement Can Crack Three Random Word Passwords Quicker Than Ever
Given that it is the likes of law enforcement and security agencies that have advised consumers to employ a secure password construction method of using three random words, perhaps it should come as no surprise that new research has found that these bodies can benefit from people doing just that. The Optimizing Password Cracking for Digital Investigations report, authored by Mohamad Hachem, Adam Lanfranchi and Nathan Clarke from the University of Plymouth, along with Joakim Kavrestad from Jönköping University, has confirmed that “up to 77.5% of passwords,” created this way can be “cracked using a 30% common-word dictionary subset.”
The researchers explored ways to more efficiently crack passwords as part of digital forensics processes during criminal investigations, and determined that the traditional methods using brute-force, dictionary and rule-based attacks, “face challenges in
balancing efficiency with increasing computational complexity.“ The research they carried out sought to enhance the effectiveness of law enforcement password cracking using rule-based optimisation techniques while minimizing the resources consumed.
The researchers discovered that by using “an optimized rule set that reduces computational iterations by approximately 40%,” they were able to significantly improve the speed at which passwords could be recovered. Furthermore, the results suggested that “while three-word passwords provide improved memorability and usability, they remain vulnerable when common word combinations are used.”
If Not Three Random Words, Then What Next For Secure Passwords?
Whether you want to keep your passwords secure against “the man” or the hordes of criminal attackers who want to compromise them, the question remains the same: what’s the most secure method of creating a password?
Honestly, the three random words approach isn’t all bad, and if you increase it to four or five random words, then those passwords will become increasingly more time-consuming and difficult to crack. They also become harder to remember, of course. Which is where the use of passphrases enters the equation. Instead of random words, create a passphrase that is memorable but long, but not obvious either. Most password managers will now create these passphrases for you. To be honest, though, if you are using a password manager, and you really should, then skip the passphrase and go straight for the stupidly long, random and complex password instead. I mean, you don’t have to remember it, that’s the job of your password manager application, so why worry about making something memorable? Better still, use a passkey. Your password manager can handle these for you as well, and they are way more secure than a lowly password.