Technology

The trick to choosing a password that's easy to remember but hard to crack

Humans are bad at remembering complex passwords.
Humans are bad at remembering complex passwords. 

Computer experts and tech-savvy users have long lamented the absurdity of teaching people to use passwords that are hard for humans to use but easy for computers to guess - an irony of effort beautifully captured in this much-loved web comic by Randall Munroe of xkcd.

The absurdity of passwords.

The absurdity of passwords. Illustration: xkcd, CC by-NC 2.5

But relief is in sight with the rise of the passphrase - a new password standard that champions length over complexity.

Rather than requiring passwords to include capital letters and special symbols - like so: !f33dM3! - passphrases require more characters, usually between 16 and 64 (like this: nooneunderstandshowmuchilovebacon).

New research from Carnegie Mellon University is the latest to confirm that passphrases make excellent passwords for two reasons. Firstly, length is almost as good as randomness at resisting hacking attacks. And, secondly, words and phrases are far easier for humans to remember.

Cyber security expert Matthew Warren, professor of information systems at Deakin University, said traditional passwords were more susceptible to "brute force" cracking programs.  

Advertisement

Brute force attacks systematically test every possible combination of letters, numbers and symbols until they find the one that works. It's akin to trial-and-error on steroids, which is why length matters: longer passwords are exponentially more difficult to crack.

"Because algorithms can be applied, a brute attack can break those passwords just through sheer logical sequence," Professor Warren said.

"But with passphrases … there's a greater number of possibilities of what that password could be. So the passphrase is much, much more secure."

Traditional passwords try to force us to choose more complex passwords by requiring the use of special characters and upper and lower case characters. However, this also has the unintended consequence of encouraging people to commit another security faux-pas, Professor Warren said.

"People are bad at remembering [complex passwords] and also, people are lazy. So they might remember one complex password but then they use that one password for every account," he said.

"Users go for the path of least resistance."

Earlier this year, the National Institute for Standards and Technology in the US, which oversees government computer policy, recommended overhauling passwords and abandoning the practice of forcing users to change their passwords regularly.

Security experts and privacy advocates have welcomed the move.

"Passwords today are "completely unusable", NIST senior adviser Paul Grassi told The Washington Post.

"Users forget, which creates all sorts of cyber security problems, like writing it down or reusing them."

The trick with passphrases is to avoid popular or common phrases, such as song lyrics or idioms.

Michelle Mazurek, one of the Carnegie Mellon University researchers now at the University of Maryland College Park, recommended users test potential passphrases by typing the first part into Google and seeing if the search engine auto-completes it.

Of course, the passphrase also has disadvantages, Professor Warren said. Again, it comes down to human error.

"Many password authentification systems … only accept typed passwords, so there's a greater chance of people making a typing mistake when entering a long phrase of text."

Nevertheless, there are stirrings of change among government agencies and businesses overseas, which are increasingly likely to allow longer passwords.

"Once it's been adopted in America or Europe, the rest of the world starts to use it," Professor Warren said.

"Certainly in the next few years you'll see a lot more of it happening in Australia."