People hate creating new passwords, but many should

In a time before user names became online alter egos, the concept of a password implied a degree of exclusivity. Knowing the magic phrase that opened doors for social clubs or childhood spy games made you unique, put you one step ahead of those who couldn't get past the gatekeepers.

Today, in a world where passwords are the Internet's virtual keys and the average user has the equivalent of a janitor's key ring, the term brings to mind something a lot more accessible and a lot less fun: toilets.

A recent study found 38 percent of respondents would rather clean a toilet than be forced to create a new user name or password for a site. The 2012 Online Registration and Password Study, conducted by Portland, Ore.-based login company Janrain and by Harris Interactive, found 58 percent of respondents had five or more unique passwords, 30 percent had 10 or more and 8 percent had at least 21.

Who could blame them for dreading the idea of creating even more?

Fortunately, new research out of Carnegie Mellon University's CyLab Usable Privacy and Security Laboratory shows that users might benefit more from using longer passwords than from coming up with shorter passwords that meet laundry lists of complex requirements.

Early findings of the study show that users told to create complex passwords give up pretty easily. Most will either add a special character (a number or symbol) to the beginning or end of the original password; will reuse a password that is active on another site; or will just write down the complex term, giving anyone who finds the paper access to an account.

One solution that seemed to be helpful was requiring users to have passwords beyond the standard eight characters, lab director Lorrie Cranor said.

Participants who were instructed to create passwords that were at least 16 characters long created codes that were considerably stronger and easier to remember than those created by participants told to make complex eight-character passwords.

The study of more than 5,000 participants was conducted using Amazon's Mechanical Turk crowd-sourcing service in conjunction with the National Institute of Standards and Technology in Gaithersburg, Md.

Cranor said that researchers are studying the effectiveness of passwords with more than 16 characters, but she said they may have already found the sweet spot for users.

"I have a hunch that it will be somewhere around 16 characters with some complexity, but not as much complexity as some companies have now," she said.

Another feature that Cranor said was helpful was the inclusion of a password meter to measure effectiveness. However, she said, the meters need to have settings that force users to go beyond using ZIP codes, birthdays or other personal information to create legitimately strong passwords.

"If you make (users) work harder before telling them it's good, they will work harder," she said.

The right meter may force someone into a safer password, yet multiple studies show that, even with meters, users tend to gravitate toward generic, unimaginative passwords that have been proven hackable.

The 2010 Consumer Password Worst Practices White Paper, Imperva in Redwood Shores, Calif., studied a breach of 32 million passwords hacked from social gaming site in 2009. Nearly half of the millions of passwords hacked included dictionary or slang words, with the most popular being "123456."

According to the study, not much had changed from a major breach of Hotmail passwords that took place more than a decade ago.

Improving consumer password habits once and for all doesn't have to be as complicated as one might think, said Rob Rachwald, Imperva's director of security, who helped write the paper.

The study suggests that users abide by NASA's benchmark password standards that include having at least eight characters, but even NASA has upgraded to require a minimum of 12 characters. To make it easier to remember the lengthy passwords, Rachwald offered renowned security expert Bruce Schneier's idea of turning a sentence into one word. The study's example turns "This little piggy went to market" to "tlpWENT2m."

Print this article Back to Top