What if someone told you that you could use some of the words from your all-time favorite song as your password? Not only that, but that it could actually be as effective as some difficult-to-remember imbroglio like Ge0rg34m@gr!|| — you know, something like what your IT department sends you as a start-up password.
Would you doalittledancemakealittlelovegetdowntonight?
If your answer is yes, yes, you would do a little dance … and get down tonight, good news! A recent study by some really smart people at Carnegie Mellon University found that the use of long, sentence-like or phrase-like passwords like the one above is increasing among people looking for easier-to-remember passwords. Not only that, but it could be “a promising user authentication mechanism.”
The really smart people, otherwise known as researchers, looked at the role of “grammatical structures underlying such passwords in diminishing the security of passwords.” Or in layman’s terms, they questioned whether they were easier to hack than the letter-number-symbol jumbles we’re all so familiar with. The answer was no, not really. It turns out that hacking programs find a lengthy password almost as difficult to crack as a seemingly random one.
The researchers went into the study viewing text-based passwords involving a trade-off between usability and security. “System assigned passwords and user-selected passwords subject to complex constraints (e.g. including mixed-case, symbols and digits) are harder to guess, but less usable,” the researchers wrote. “Conversely, simple, memorable user-selected passwords offer poor resilience to guessing.”
In order to find a compromise, researchers and organizations have begun recommending the use of longer user-selected passwords with simpler composition.
The idea isn’t particularly new. Security pros have been using similar passphrases for years, albeit somewhat differently. This trick takes a sentence and then uses the first letter of every word. For example: “I love pizza 3 times a week″ would be ilp3taw. You can be really clever and add capital letters and a special character or two, like iLp3T@w.
“If one could use biometric encryption, that’s certainly better, but even biometrics have been spoofed,” said Adam Levin, co-founder of Credit.com and author of “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.” “But in situations where biometrics are not available, a passphrase is probably a better option than a typical password.”
Also, with a phrase, you could create a variety of different passwords out of that single phrase, Levin explained. Add a couple of letters in the front for a particular website and a couple of numbers in the back, and you can have a different password for every site, all of which will be fairly easy to remember.
“Also, there’s less tendency to use an overly simple or flat-out bad password like ‘password’ if you use phrases,” Levin said.
It’s also important to remember that a significant percentage of identity theft occurs among family and friends, Levin warned, so “if it’s a phrase you use frequently that someone could guess, it’s probably not a good option.”
As the really smart people at Carnegie Mellon wrote: “More research is necessary to fully understand the effect of structures on long passwords,” but they’re definitely worth considering to keep your accounts secure.
Remember, identity thieves can strike at any time. To guard against identity theft, it’s important not just to keep your passwords or passphrases strong and secure, it’s also wise to monitor all of your financial accounts on a regular basis, as well as your credit. If an identity thief has stolen some of your information to open a new account in your name, it will impact your credit scores.
You can monitor your credit scores for free twice a month on Credit.com. Any unexpected changes in your score could signal identity theft, and you should pull copies of your credit reports (you can do that for free once a year) to investigate further. Acting fast can help protect your credit and your finances.