“Forget all the rules about uppercase and lowercase letters, numbers and symbols; your password just needs to be at least 12 characters, and it needs to pass a real-time strength test” developed by the passwords research group in Carnegie Mellon’s CyLab Security and Privacy Institute (according to the Lab’s web site). CNET reports:
After a user has created a password of at least 10 characters, the meter will start giving suggestions, such as breaking up common words with slashes or random letters, to make your password stronger… One of the problems with many passwords is that they tick all the security checks but are still easy to guess because most of us follow the same patterns, the lab found. Numbers? You’ll likely add a “1” at the end. Capital letters? You’ll probably make it the first one in the password. And special characters? Frequently exclamation marks… In an experiment, users created passwords on a system that simply required them to enter 10 characters. Then the system rated the passwords with the lab’s password strength meter and gave tailored suggestions for stronger passwords. Test subjects were able to come up with secure passwords that they could recall up to five days later. It worked better than showing users preset lists of rules or simply banning known bad passwords (I’m looking at you “StarWars”)… Lorrie Cranor, director of the CyLab Usable Security and Privacy Laboratory at CMU, says the best way to create and remember secure passwords is to use a password manager. Those aren’t widely adopted, and they come with some trade-offs. Nonetheless, they allow you to create a random, unique password for each account, and they remember your passwords for you.
Read more of this story at Slashdot.