Researchers from Carnegie Mellon University and the University of Chicago have developed a neural-network powered login system that checks the security rating of a password before allowing it to be used.
The system queries a database of passwords that have been exposed following breaches in recent years to ensure the choice isn't already a known quantity to hackers. It also understands the difference between truly strong and seemingly strong password construction. Try to use something that the brute-force attackers of today could quickly crack – alphabetical to symbol conversion, for example – and it will warn of the dangers.
Is this the answer to getting users to choose 'strong and stable' login credentials, and how can users best be cajoled into using better passwords? SC Media UK has been looking for the answers.
David Emm, principal security researcher at Kaspersky Lab, likes the Carnegie Mellon development. Not least because it provides "real-time feedback on why we're about to create a poor password". He does agree, however, that it must come as part of a broader approach to educating people about passwords. The carrot and stick debate, in other words.
Sarah Janes, managing director at Layer8, recalls that this was the topic of her dissertation in the early 2000s. "Fast forward and the consequences of poor security are better understood and there are systems in place to monitor how we use passwords," she insists, adding, "On its own, just forcing a password policy is not enough. People still need to understand context and process."
Cath Goulding, head of information security at Nominet, is in general agreement there. She told SC, "When it comes to changing staff behaviour around passwords and security, we've found that it's much more effective to create a culture of company security awareness and responsibility, alongside the more traditional and formal training sessions."
The idea is that by offering more rounded and holistic training that addresses all aspects of an employee's life online, including in their personal life, it encourages them to develop good habits by stimulating them to think laterally about the different ways they are at risk.
Lawrence Munro, VP of SpiderLabs at Trustwave, still thinks "a certain amount of stick is needed" as "users tend to be lazy when it comes to choosing passwords". Whilst not dismissing the importance of carrots in the debate, Munro insists that "at a minimum companies should mandate character length. Eight character passwords can be cracked in less than twenty-four hours in most cases; however, a ten character password can take an estimated 591 days."
Coming back to the Carnegie Mellon password strength meter variation, Javvad Malik, security advocate at AlienVault, thinks such tools can have a positive influence on users creating better passwords. "Giving users more information as to why a password is weak can definitely help," he says, but looking forward, "it would be useful to shift terminology to passphrases as opposed to passwords".
Mark James, security specialist at ESET, agrees that end-users should be educated to "construct unique passwords from phrases or statements that they are already familiar with". The point being that brute force or pattern matching attempts can only match the password and not work it out if it 'looks close' or not.
Ian Trump, global cyber security strategist at SolarWinds, told us simply that "passwords should not exist in a vacuum" and added that "any password on its own is almost useless as a security solution".
He makes a good point, and it could be argued that debating about entropy levels or complexity of passwords is a waste of time. "An 8 or 10-character password salted and hashed in a database is fine," Trump concludes, "so long as authentication of users is protected by additional layers, and at a minimum with 2FA."
Destiny Bertucci, the wonderfully-titled head geek at SolarWinds, adds that large organisations should also consider investing in "quality password vaults to help employees become more comfortable with security management best practices, which will in turn assist in stronger password creation and management".
Robert Capps, VP of business development at NuData Security, reminds us that "forced resets, coupled with prior requirements to force users to generate passwords based on a random assortment of specific characters, have actually degraded password security, not made it better." As it's unlikely that organisations will replace passwords with other forms of authentication in the near future, making them more secure is the best hope we have at the minute.
So is a tool such as the neural network one the answer? Professor Steven Furnell, senior IEEE member and professor of Information Systems Security at Plymouth University, thinks so. He told SC that "in our own recent research, with 300 users, we found that simply making guidance available on-screen alongside the password box reduced weak-rated choices from 75 per cent down to 45 per cent."
We will leave the last word with Norman Sadeh, who is a professor of computer science at the Carnegie Mellon University Faculty at CyLab, as well as being the Chief Scientist at Wombat Security. "Carnegie Mellon University's research shows that password strength is not always intuitive," Sadeh told SC. "The tool developed at CMU can help users evaluate the strength of passwords with greater certainty."
And that, we can hopefully all agree, has to be a good thing...