Security

How to create stronger passwords by using data-driven feedback

Check out researchers' password meter on GitHub to see how the open source web app determines a password's strength and then uses data-driven feedback to make it stronger.

Passwords
Image: iStock

Even with the disdain heaped on digital passwords, they still manage to survive, and dare I say thrive? Adding insult to injury, "password" is likely the most popular password in use.

It is a pretty safe bet that anyone reading this article is well aware why using password as a password is not a good idea. So rather than preach to the choir, let's look at why password is such a popular password and learn about a painless way to improve password selection.

SEE: Password Management Policy (Tech Pro Research)

Common problems with password meters

It does not take long for professionals new to cybersecurity to realize convenience typically wins over security, which is why password and 123456 are the most popular passwords. It is just human nature, and there's no getting around it—or is there?

Some people might suggest using password meters. While password meters are great at informing us about whether passwords are strong enough according to current best practices, do they actually help?

"One of our findings is that password meters do not yield much improvement in helping users choose passwords for unimportant accounts, yet they are commonly deployed in such contexts," write the authors of the research paper Does My Password Go up to Eleven? The Impact of Password Meters on Password Selection (PDF). "Equally, where meters make a difference—password changes for important accounts—they are less often seen. Thus, practice at real sites appears to be very far from what our results dictate. This indicates a real opportunity for improvement."

There is another problem with password meters: If a password is deemed to be unacceptable, the user has to guess how to strengthen the password, and usually tries to do so multiple times and then ends up frustrated with the process. (Readers of this article likely know how to strengthen a password to appease a password testing app.)

"Instead of having a meter say, 'Your password is bad,' we thought it would be useful for the meter to say, 'Here's why it's bad and here's how you could do better,'" says Nicolas Christin, a professor in Carnegie Mellon University's Engineering and Public Policy department in this press release by Daniel Tkacik.

SEE: Firms that force you to change your password are clueless says cyber security chief (TechRepublic)

Why data-driven feedback makes a difference

This team of researchers from Carnegie Mellon University and the University of Chicago were on a quest to help users create strong passwords, and they focused on the fact that most passwords are relatively simple to determine using password crackers and rainbow tables.

"The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords," said Blase Ur, lead author on the study and currently an assistant professor at the University of Chicago's Department of Computer Science. "For example, if you change 'Es' to '3s' in your password, that's not going to fool an attacker."

"The key result is that providing the data-driven feedback makes a huge difference in security compared to just having a password labeled as weak or strong," continues Ur in the press release. "Our new meter leads users to create stronger passwords that are no harder to remember than passwords created without the feedback."

In the press release, Tkacik writes that in order to compile data-driven feedback, the researchers developed an artificial neural network—a large, complex map of information that resembles the way neurons behave in the brain. "The network 'learns' by scanning millions of existing passwords and identifying trends," continues Tkacik. "If the meter detects a characteristic in a password that it knows attackers may guess, it tells the user."

The research team has a working model of their password meter online. Figure A depicts a password that is reasonably strong, but could easily be made stronger by heeding the advice listed. A nice feature is that the feedback is presented in real time as the user is typing in the information.

Figure A

passwordmeter05182017.jpg
Image: Carnegie Mellon University and the research paper's authors

The team has open sourced the password meter on GitHub. "There's a lot of different tweaking one could imagine doing for a specific application of the meter," Ur told Tkacik. "We're hoping to do some of that ourselves, and also engage other members of the security and privacy community to help contribute to the meter."

Other authors of the study included current CMU students Jessica Colnago, Henry Dixon, Pardis Emami-Naeini, Hana Habib, Noah Johnson and William Melicher; former CMU students Felicia Alfieri and Maung Aung; and Lujo Bauer, associate professor in the ISR and the Electrical and Computer Engineering Department; and Lorrie Faith Cranor, professor of computer science and engineering and public policy.

Final thought

There has been a great deal of tech press given to the lowly password. Until it is officially retired, it seems prudent to support password authentication and efforts to improve its effectiveness.

Also see

About Michael Kassner

Information is my field...Writing is my passion...Coupling the two is my mission.

Editor's Picks

Free Newsletters, In your Inbox