Research: Unusual, Unpopular Passwords Are Simple and Most Secure

Microsoft researchers studied password security and concluded that popular passwords pose a bigger risk to online security than weak ones.

Microsoft researchers studied password security and concluded that popularity is everything. Enterprises might be interested to discover that simple but weird is what works as the best way to protect passwords from statistical-guessing attacks. In fact, a study found that popular passwords are easy to guess and pose a bigger risk to online security than weak ones.

Many websites require "strong" password policies, forcing users to include symbols, mixed cases, numbers, and a minimum length for passwords. These rules help to guard against dictionary attacks, but passwords are harder for users to remember. Limiting the number of log in attempts before locking a user out is one of the easiest password safety solutions. On the Microsoft Research site, a published study states that forcing users to pick unusual passwords is another part of the solution.

Microsoft researchers Cormac Herley and Stuart Schechter, and Harvard University Computer Science professor Michael Mitzenmacher came together on a research paper, "Popularity is Everything: A new approach to protecting passwords from statistical-guessing attacks." If users are forced to choose "unpopular" passwords, instead of "strong" ones, it can provide a better defense against a type of attack known as "statistical guessing." For organizations with millions of users, like Microsoft Hotmail, researchers propose a system that would count how many times any user on the service chooses a specific password. When more than a small, limited number of users pick the same password, that password is then banned. No one else would be allowed to use it.

The authors wrote, "Replacing password creation rules with popularity limitations has the potential to increase both security and usability. Since no passwords are allowed to become too common, attackers are deprived of the popular passwords they require to compromise a significant faction of accounts using online guessing."

According to Threat Post, Microsoft researcher Herley told them, "The rules around password length and composition are an attempt to get users to choose passwords that withstand brute-forcing and guessing. But users appear to hate them, and we don’t have good ways of measuring whether and by how much they help withstand attack. The less direct approach almost certainly forbids users from things that might be perfectly good password choices, just because they don’t conform to a certain policy. For example, `fkwgshqum’ is probably a far better password than `P@ssw0rd’ even though many policies would reject it while allowing the latter."

This password system has not been implemented, but researchers believe it is a way to create easy-to-recall passwords that do not make a system more vulnerable to hackers. The researchers wanted to get feedback from the security community, so they released their study to more than 200 computer security researchers from around the world at the annual Symposium on Usable Privacy and Security. The focus of the symposium was to discuss approaches for making computers simultaneously more usable and more secure.

Microsoft researchers presented another study at the symposium, "Where Do Security Policies Come From?" According to the study, websites that have the strictest password requirements are those where the users have no ability to shop around, sites like large universities webmail systems and the U.S. Social Security Administration. These organizations, unlike financial institutions, have no monetary incentives to balance their systems with usability and security. The security policy paper states, "Most organizations have security professionals who demand stronger policies, but only some have usability imperatives strong enough to push back. When the voices that advocate for usability are absent or weak, security measures become needlessly restrictive."

Like this? Check out these other posts:

Follow me on Twitter @PrivacyFanatic

Cybersecurity market research: Top 15 statistics for 2017