The science on password security vs usability
Researchers at Carnegie Mellon University’s CyLab Security and Privacy Institute have developed a science-based policy for creating passwords that balances security and usability.
In their work, the researchers verified what most users already knew: Including upper case letters, digits and symbols has a negative impact on usability. Surprisingly, the team also found those kinds of requirements don’t increase password strength as much as others, said CyLab Director Lorrie Cranor, who is also a professor in the Institute for Software Research and the department of Engineering and Public Policy.
In a paper providing practical recommendations for better passwords, the team demonstrated that minimum-strength and minimum-length requirements are sufficient even for high-value user accounts, that blocking the use of certain passwords is not as effective as often assumed unless carefully configured and that forcing users to include special characters “may provide very little improvement and may even reduce effective security.”
Rather than incorporating numbers and symbols, passwords just need to be 12 characters long – if they can pass a real-time strength test the researchers developed in 2016. The neural-network-powered password-strength meter gives users a password-security score and offers suggestions and explanations in real-time for creating a stronger password.
Through online experiments, the researchers evaluated the security and usability of different combinations of minimum-length requirements, character-class requirements, minimum-strength requirements and password blocklists. They asked participants to create and recall passwords under random password policies and found that requiring both a minimum strength and a minimum length of 12 characters created a good balance between security and usability.
“Although blocklist and minimum-strength policies can produce similar results,” university officials said, “minimum-strength policies [can be] flexibly configured to a desired security level, and they are easier to deploy alongside real-time requirements feedback in high-security settings.
The paper will be presented at the November ACM Conference on Computer and Communications Security, which will be held virtually.
Connect with the GCN staff on Twitter @GCNtech.