How science selects a password policy

There's no shortage of advice for how CISOs should design password policies. Cycle passwords every six months. Must include a special character, a capital and a lower case. Minimum of eight characters.

But as anyone who has seen their parents' passwords can attest, it's easy to follow basic rules and still come up with an easy to crack password. After all, "Password1!" is almost as easy to brute force as "password."

Carnegie Mellon University's CyLab will present a paper next month on a scientifically backed password policy, allowing users to efficiently select passwords.

CyLab researchers Josh Tan, Lujo Bauer, and Nicolas Christin, as well as director Lorrie Cranor developed password policies that leverage a system merging machine learning and over 20 heuristics to check password strength into a password strength meter. That meter was capable of telling users specifically what is keeping their password from being secure.

SC Media spoke with Bauer and Cranor about the new paper. The conversation has been edited for clarity and length.

What's the matter with just giving people the same advice sysadmins have always given - a capital letter, a symbol and a new password every 45 minutes?

LC: A lot of the things that people have been told over the years have not been based on science. Security administrators have been desperate to stop accounts from being compromised, and every time there there's a breach that gets publicized they say "We've got to do more!" and just kind of tack on some things that seem like maybe they'll help without any actual evidence as to whether or not they will help.

We actually started doing this research about ten years ago after Carnegie Mellon University changed its password policy. We started wondering well, why did they pick that policy? We went and talked to the powers-that-be and they pointed to some NIST guidance on password policies and we found that it wasn't fully based on science. It actually said in it that we don't have enough data on passwords to figure out what the best policy is. So we thought, well, let's get some data on passwords and actually figure out what policy is going to be best. It turns out it took us about ten years.

So, then, how do you scientifically develop a stronger password policy?

LB: You see how long does it actually take the attacker to guess particular passwords because ultimately the best password is the one that the attacker can't guess pretty easily. On the flip side, you figure out how people react when they have to create passwords under a particular policy, whether they can remember them later or have to cut and paste.

One of the things we starting to do four or five years ago is to try to use machine learning to model the passwords people create and these models can be used to essentially order passwords from most likely to at least likely, From all the passwords that have been leaked from all the password leaks, the machine can learn what do passwords look like, what more common passwords look like compared to less common passwords. From that, you can develop algorithms that approximate how well an attacker might be able to crack different passwords. So we test took several different algorithms and we assumed that whichever algorithm would guess the passwords first is the worst-case scenario.

What have you learned by taking a scientific approach to password policies?

LC: One thing we've taken away from running these algorithms is that adding more characters to a password makes them more resistant to this sort of attack, but adding more symbols and different character classes gives you less bang for your buck.

Our paper has some very concrete recommendations and one of the things that we found in our most recent paper is that instead of telling users you have to follow these particular rules for character classes and length and all of these things, we can just tell them a password needs to be greater than a particular strength as measured by that machine learning with a length requirement.

Password strength meters already existed. How does the new paper change what already exists?

LC: Unlike a lot of the strength metered out there that just tell you like your password is bad, our password meter uses heuristics based on our research to offer concrete guidance. So for example, if you create the password and you put a digit at the end our password meter might suggest that you move your digit to the middle of the password. The advice it gives you is tailored to the specific password that you've typed in so far.

LB: Things like words that are on a list of popular passwords should not be included, digits and symbols in the middle are stronger than at the end capital letters in the middle are stronger than capital letters in the beginning. That's a critical thing is that we can choose which heuristics would be most useful in this particular case because it's always all these heuristics are always valid in some sense, but you don't want to give a person twenty rules to create their password.

Joe Uchill

Joe is a senior reporter at SC Weekly, focused on policy issues. He previously covered cybersecurity for Axios, The Hill and the Christian Science Monitor’s short-lived Passcode website.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.