To make strong passwords user-friendly and less burdensome, both Baker and the CMU researchers suggest using a password manager, which can generate and store a different, scientifically strong password for each of your accounts.
“Password managers are not a magic pill,” CMU researcher Lujo Bauer told Consumer Reports, “but for most users they’ll offer a much better combination of security and convenience than they have without them. Everyone should be using one.”
Again, it’s one thing to tell users about password managers, and another to educate them.
“We encourage infosec teams to identify the tools they feel are right for their organization and to clearly communicate the benefits to their employees,” says Baker. “For example, we feel it’s not particularly helpful to simply ask users to install a password manager. It would be more effective to recommend a specific tool and provide instructions about where to get it and how to install it.”
3 Tips for Creating Stronger Passwords
For those who go it alone and create their own passwords, the researchers offer the following tips:
- Use at least 12 characters, with at least two or three different types of characters in unpredictable places. “Don’t put your capital letters at the beginning or your digits or symbols at the end,” they caution.
- Avoid including personal information, such as birth dates or the names of people, pets or sports teams. Also avoid song lyrics, patterns, and common phrases, they advise, “especially anything related to ‘love’ in any language.”
- Make something new: “Create a sentence that no one’s ever said before and use the first letter or two of each word as your password, mixing in other types of characters,” the article states.
The researchers also strongly caution against password reuse and advise users to implement two-factor authentication on accounts when it’s available. Learn more about how to prevent risks at Proofpoint Wisdom, security awareness conference.