The Myth of the “Strong” Password

Last updated: 21 March 2014

Which password do you think is easier for a hacker to crack – “Th3r3 can only b3 #1!” or “Hammered asinine requirements”? According to some new research from Carnegie Mellon University’s Institute for Software Research, it’s actually the former that is the weaker password.  Why?  Because the password “Th3r3 can only b3 #1!” has grammatical structure and that, according to the researchers, makes it easier to crack.

I found this research really interesting because it delves deeper into the makings of a good password than I’ve ever seen before.  The team tested more than 1,400 passwords containing 16 or more characters against a grammar-aware password-cracking algorithm that they created.  And while they found that passwords with grammatical structure can undermine security, it gets even more complicated.  The kind of words you use matter, too.   Pronouns are easier to guess than proper nouns, so a password like “Shehave3cats” will be easier to crack than a password like “AndyHave3cats.”  The lead researcher, Ashwini Rao, said, “I’ve seen password policies that say, ‘Use five words.’ If four of those words are pronouns, they don’t add much security.”

Research like Carnegie Mellon’s is really valuable because today, many people still do use passwords for access to our online accounts and enterprise networks, and we need to be aware of what passwords are better than others.  But that doesn’t take away from the fact that passwords are and always will be inherently weak and insecure.  Even the best password in the world can be hacked; it’s just a matter how long it will take.  That “Hammered asinine requirements” password may be better than “Th3r3 can only b3 #1!”, but it still can be hacked in 3.5 hours. That’s 3.5 hours between a hacker and your bank account details, or your enterprise data.

Only multiple factors of authentication – something you know along with something you have and/or something you are – can make your online transactions truly secure.  I think that banks, online service providers, and enterprises do understand the critical need for higher levels of security.  I know many of them are planning to implement stronger, multi-factor access security if they haven’t already.  And I hope that those that are putting it off realize that the time to make a change is now.