Best practices for password security

Research into password guessing attacks concludes that length buys more security than mixing character sets
By Gus Venditto
03:43 PM

Passwords have become one of modern life's more annoying routines.  None of us is happy when our office email or bank asks us to take a comfortable password and turn it into something that resembles a missile launch code.

Clinicians who need to log in and out of systems throughout the day can be forgiven for uttering choice expletives when asked to re-set passwords while caring for patients.

Strong passwords are an essential front line defence in protecting data and systems. So what is the best way to create an effective password policy?

A new study suggests that length is the most important factor, more effective than the current trend toward requiring a mix of numbers, with upper and lowercase letters. 

The work, presented at a security conference held by the Association for Computing Machinery, or ACM, found that "simple strategies based on the number of characters and the presence of special characters such as uppercase characters, digits and symbols" are inadequate against modern attacks.  

[Learn more: Meet the speakers at the HIMSS and Healthcare IT News Privacy and Security Forum.] 

Matteo Dell'Amico, a researcher at Symantec Research Labs, and Maurizio Filippone, a researcher at Eurecom, presented their work in a paper, titled "Monte Carlo Strength Evaluation: Fast and Reliable Password Checking." They analysed the techniques employed by password guessing attack and then replicated the attacks in a lab environment.

They believe that many of the password attacks being used are "probabilistic guessing schemes" that use public databases of leaked password as training sets, "improving their capability to guess even passwords that have not been leaked." More than one million passwords are now available from leading websites such as LinkedIn, eHarmony, Evernote and Adobe. The researchers used these data sets in building their test platform.

Dell'Amico and Filippone concluded that requiring both letters and numbers does little to increase password strength. They speculated the reason may be that when both letters and numbers are used, the patterns are predictable: Numbers are used at the end of the password most of the time. And while upper case characters can improve the strength of a password, the value is limited because upper case characters are usually found at the beginning of the phrase, making them easier to guess.

Symbols were found to be more valuable in improving password strength, in part because they are used at less predictable locations within the password string.

The least secure systems are those that limit passwords to 8 characters.

And while it was not part of the study, it is safe to assume that passwords that are difficult for clinicians to remember are most likely to be found on Post-It notes on a computer monitor.