/ myki

Could This Be the Perfect Password Policy?

A team of Carnegie Mellon University researchers have developed a policy for creating passwords that they believe is the ideal balance of security and usability.

As you've surely experienced firsthand when creating a password, most websites will insist that you include uppercase letters, special characters, and numbers to make it more complex. While this does make your passwords harder to guess, it also makes them harder to remember.


The magic number?

According to a new study, 12 might be the magic number. A team of researchers at Carnegie Mellon's CyLab Security and Privacy Institute assert that for a password to be truly strong, it only needs to be at least 12 characters long and pass a real-time strength test they've developed.

The team's password strength meter was developed in 2016 and is powered by an artificial neural network. This means that instead of merely indicating whether a password is weak or strong, it will offer suggestions specific to what has been typed in, recommending changes and explaining how they would improve the strength of the password.

In order to reach their conclusion, online experiments were conducted, where participants were asked to create and recall passwords under randomly assigned password policies. “We found that a policy requiring both a minimum strength and a minimum length of 12 characters achieved a good balance between security and usability,” says Nicolas Christin, a professor at Carnegie Mellon and one of the researchers behind the study.


Memory game

However, there is one bad password habit that this policy needs a little extra help combating, and the password meter itself clearly acknowledges it: password reuse.

Password reuse is at the very top of the meter's list of "Strategies for Making a Strong Password". It's essentially what credential stuffing relies on, and to get around it, the meter recommends using a password manager. Unless you only have the one account, memorizing dozens, or even hundreds, of unique passwords simply can't be done, our brains are just not capable of it.

But this raises one big question: should passwords even be possible to memorize if a password manager is being utilized to store and autofill them? If the human brain is taken out of the equation, would a string of 100 randomly generated characters not make for a stronger password than 12 semi-coherent ones? If the password meter's own advice is to be put into practice, this should be a no brainer.


With its built-in password generator, the MYKI Password Manager and Authenticator makes it easy to create unique and complex passwords, which can be securely stored, autofilled, and synced across all your devices.

Download the MYKI Password Manager and Authenticator app on mobile or desktop, or sign up for MYKI for MSPs or MYKI for Teams today and start taking control of your digital identity.

Could This Be the Perfect Password Policy?
Share this