Today, 05 May, we celebrate World Password Day. As Security and Privacy is one of the main research foci at INESC-ID, and one of the institute’s major Thematic Lines, we wanted to give our contribution to improving the strength and performance of everyone’s passwords.

Miguel Correia — researcher within the Distributed, Parallel and Secure Systems (DPSS) INESC-ID Research Area and Strategic Coordinator of the Security and Privacy Thematic Line — suggests using “strings of at least 10 characters that do not appear in a dictionary as passwords, mixing letters, digits and signs”.

“The two main problems with textual passwords are [that] most people choose predictable passwords (even the ones they think they don’t) and [that] most people reuse passwords between different services” commented João Ferreira, INESC-ID researcher within the Automated Reasoning and Software Reliability (ARSR) Research Area. João Ferreira is also one of the Principal Investigators of the PassCert Project (which aims to “build an open-source, proof-of-concept [password manager] that through the use of formal verification, is guaranteed to satisfy properties on data storage and password generation”), a CMU Portugal Exploratory Research Project.

From the perspective of a user creating an efficient password, João Ferreira has a few suggestions:

  • Use at least 12 characters, using at least two or three different classes (between lowercase, uppercase, digits and symbols);
  • Characters must appear in unpredictable positions — i.e., avoid putting capital letters at the beginning of the password and numbers/digits at the end of the password;
  • Avoid using dictionary words or familiar expressions (e.g. sayings, parts of song lyrics, etc.);
  • Do not use patterns like “1234” or “abcd” or keyboard patterns like “qwerty” or “cvbnm” or acronyms like “SCP”, “SLB” or “FCP”;
  • Ensure the chosen password does not appear in any known “data breaches” (e.g., use something like Pwned Passwords).

Happy World Password Day!