These researchers say they have found the best way to create strong passwords thanks to science

A group of researchers from CyLab, the security and privacy laboratory of Carnegie Mellon University, have presented a study with which they say they have developed a policy of creating passwords that are easy to remember and more secure, one that is backed by science.

After more than a decade studying the problem, they say that this method maintains the ideal balance between security and usability: "Forget all the rules about uppercase and lowercase letters, numbers and symbols; your password only needs at least 12 characters and must pass a real-time strength test developed by researchers."

The little use of adding symbols, special characters and numbers just for the sake of it


According to the data collected during the investigation, adding capital letters, symbols, numbers, and special characters does not increase password strength as well as other requirements, and also tends to have a negative impact on the usability of the password.

In fact, a similar conclusion was reached some years ago by Bill Burr, the same person who originally recommended that we use special characters and constantly change passwords. "It is completely useless" He said, now for Burr the most important thing about a strong password is length.


CyLab scientists have spent years and a lot more work trying to prove this. To do this, in 2016 they developed a "password strength meter" powered by an artificial neural network which was small enough to integrate into a web browser.

The meter does things like once you've created a password with at least 10 characters, it starts giving you suggestions to make it stronger and achieve a "minimum of strength", either by adding an additional character or by dividing common words.

With that meter, Researchers began experimenting with combinations of different password creation policies. In these experiments, participants were asked to create and remember passwords with randomly assigned policies, such as requiring minimum characters, enforcing the use of special characters, blocking the use of insecure passwords (type 123456 or qwerty), etc.

How to use mnemonics to create and remember complex and strong passwords

The ideal minimum length is 12 characters

password security

The first few entrants had to put themselves in the shoes of someone who had just found out that their email provider had suffered a data breach and needed to change their password immediately. Some days after they were asked to remember their password as a usability meter of the password policy to which they were subjected.

The researchers found that, a policy that requires both a minimum strength (determined by your meter) and a minimum length of 12 characters, achieved a good balance between security and usability.

It is less tedious for a user to type a longer password instead of one with more special characters, and it turns out that it is also more secure

Basically, their study found that minimum password strength policies can protect against online attacks by either requiring the user to enter more types of characters or enter longer passwords. But nevertheless, increasing the minimum password limit achieves greater security at a lower cost in usabilityespecially in the time it takes for the user to create a password that meets the requirement and how annoying it is.

How Xataka editors create and manage their passwords

A useful security policy in combination with this is for services to use blacklists of insecure passwords so that the user cannot use them. The researchers recommend that those lists verify that the user does not use commonly leaked passwords.

The digital world takes years and years chasing password securityBut even the most basic measures still don't catch on with the general public. It's no surprise then that over and over and over again, the most used passwords remain the same terrible ones as '123456'.

When a company or organization does not implement even minimal strength policies such as preventing the user from using "password" as a password, we cannot just blame the user.

This research offers the idea that by requiring a minimum password of 12 characters you greatly increase security, and offers a tool that can be implemented in browsers to guide the user to create a more secure one. instead of offering the traditional traffic light that just tells you "weak, strong, very strong".