Why Your Complex Passwords Might Not Be As Secure As You Think

We have all heard the advice that in order to protect our information and online accounts we should create and use “complex” passwords that include a mix of capital and lower case letters, numbers, and special characters. Following such advice theoretically yields passwords that are more difficult for unauthorized parties to guess or crack with hacking tools than passwords consisting solely of a word lifted from the English dictionary. Reality, however, tells us that while complex passwords usually provide better security than do most English words on their own, these “strong passwords” often fall far short of delivering on their potential security benefits.

First, due to the limitations of human memory, complex passwords are more likely to be written down than English words used as passwords – meaning that utilizing complex passwords increases the risk of passwords being exposed through insecure storage. People who don’t write down their passwords experience another issue – how many times have each of us forgotten a complex password and had to go through a frustrating process to have it reset? And, of course, if the process of resetting the password involves simply clicking a reset link sent to an email account protected with a weak password, access control is no more secure than the weak password protecting the email account.

Likewise, because large numbers of complex passwords are hard to remember, people often reuse complex passwords, placing “many eggs in a single basket.” If a hacker breaches one system on which a particular password is used, all systems on which the same password is used could potentially be put at risk.

Storing complex passwords in a smartphone or computer app is also no panacea: password storage apps place numerous pieces of sensitive information in one place – i.e., also putting “all eggs in one basket” – and must, therefore, be secured with strong security. Properly protecting such apps and the data that they store is not trivial, since the password data must be extractable, and, therefore, cannot be protected with the one-way encryption (hashing) commonly used to protect password databases. Furthermore, if a password storage app were ever infected with malware – or even if the phone running it were ever infected by certain types of advanced malware – the impact on a person using the app to store all of his or her passwords could be devastating.

In addition to the risks created by human memory limitations, there is a major concern about how strong the complex passwords truly are, and how well they stand up to hacking tools. Research shows, for example, that the actual security provided by complex passwords is often far less than one would expect based on the password’s theoretical strengths. One major issue with complex passwords was discussed in a paper published several years ago by a research team from Carnegie Mellon University, which explained that predictable human tendencies often dramatically undermine the strength of complex passwords, and that as password length requirements grow, so do the number of characters that people typically repeat within their chosen passwords. As a result of these and other expected human behaviors, password cracking systems that leverage an understanding of human tendencies can process expected permutations first, and thereby crack many “complex passwords” orders-of-magnitude faster than pure mathematical probability would suggest.

How should you best address these issues?

1. If you must create a complex password of the type mentioned above – spread lower case letters, capital letters, numbers, and special characters throughout the password – do not place the capital letter at the start, and do not place the number and special character at the end.

2. Do not repeat significant sections within passwords.

3. If your system will allow longer passwords, consider using the password-creation strategy that I discuss in the article How To Create Strong Passwords That You Can Easily Remember – yes, you can create strong passwords that are far easier to remember than a complex sequence of random characters.