1 week Ago
Update, April 27, 2025: This story, originally published April 26, has been updated with additional advice for securing your passwords from security experts as World Password Day 2025 fast approaches, along with information on replacing your passwords with passkeys. Passwords. Hate them or hate them, they just won’t die.
Let’s be honest, nobody loves passwords; at best, they are a necessary evil, at worst, the weak link through which criminal attackers and law enforcement can access your data. Despite the best efforts of major technology companies to replace them with passkey s, the humble password remains with us. Yet, infostealer malware has compromised hundreds of millions of the credentials, attackers continually find new ways to trick you into handing them over, and now even recommended methods of creating strong and secure passwords are being proven to be less than optimal in the face of new research.
Here’s what you need to know and do. Over the years, there have been plenty of people trying to convince you that they know how to create perfect passwords. Most have been proven wrong.
The use of 3,600 smiley face emojis was never going to solve the secure password problem, let’s face it. As Akhil Mittal, senior security consulting manager at Black Duck, said, “every few years, a so-called ‘fix’ for passwords emerges — longer passphrases, image-based logins and now emoji passwords.” In the real world, they all fall at the hurdle of predictability, reuse, and human error.
But what about the secure password creation methods that are supported by the likes of the U.K. National Cyber Security Centre, for example? “ Combine three random words to create a password that’s long enough and strong enough,” the NCSC said, the argument being that doing so will create passwords that are easy to remember but strong enough to keep the cybercriminals out.
That advice, it seems, is now shot to pieces by new research. Given that it is the likes of law enforcement and security agencies that have advised consumers to employ a secure password construction method of using three random words, perhaps it should come as no surprise that new research has found that these bodies can benefit from people doing just that. The Optimizing Password Cracking for Digital Investigations report, authored by Mohamad Hachem, Adam Lanfranchi and Nathan Clarke from the University of Plymouth, along with Joakim Kavrestad from Jönköping University, has confirmed that “up to 77.
5% of passwords,” created this way can be “cracked using a 30% common-word dictionary subset.” The researchers explored ways to more efficiently crack passwords as part of digital forensics processes during criminal investigations, and determined that the traditional methods using brute-force, dictionary and rule-based attacks, “face challenges in balancing efficiency with increasing computational complexity.“ The research they carried out sought to enhance the effectiveness of law enforcement password cracking using rule-based optimisation techniques while minimizing the resources consumed.
The researchers discovered that by using “an optimized rule set that reduces computational iterations by approximately 40%,” they were able to significantly improve the speed at which passwords could be recovered. Furthermore, the results suggested that “while three-word passwords provide improved memorability and usability, they remain vulnerable when common word combinations are used.” Whether you want to keep your passwords secure against “the man” or the hordes of criminal attackers who want to compromise them, the question remains the same: what’s the most secure method of creating a password? Honestly, the three random words approach isn’t all bad, and if you increase it to four or five random words, then those passwords will become increasingly more time-consuming and difficult to crack.
They also become harder to remember, of course. Which is where the use of passphrases enters the equation. Instead of random words, create a passphrase that is memorable but long, but not obvious either.
Most password managers will now create these passphrases for you. To be honest, though, if you are using a password manager, and you really should, then skip the passphrase and go straight for the stupidly long, random and complex password instead. I mean, you don’t have to remember it, that’s the job of your password manager application, so why worry about making something memorable? Better still, use a passkey.
Your password manager can handle these for you as well, and they are way more secure than a lowly password. I am reliably informed that Thursday, March 1, is World Password Day. This means that security experts are keen to share best password practices with as many people as they can.
I’m not a great fan of these arbitrary days, which is why I provide my password advice all year round, but any opportunity to make people more secure is a good opportunity, so here’s what they have been saying. The security team at Fasthosts has urged businesses and individuals to prioritize password security by using strong passwords, but as I’ve already covered that, let’s look at what else they recommended. Enabling two-factor authentication isn’t, strictly speaking, a password recommendation, but rather a login protection one.
Think of 2FA as being an extra layer using an additional means of verification beyond your password. That verification can be by way of a one-time code, preferably created by a dedicated app or hardware key rather than sent by the relatively insecure method of SMS text message, or even a push notification from the service you are logging into and to sent to your smartphone. Something that definitely is a password tip worth sharing is to use a password manager which, as I’ve said earlier, is the best way to both create strong passwords, store them and then deploy them as required without involving any great usability stumbling block for the average user.
A Mastercard spokesperson, meanwhile, has recommended something that is straight from my own security advice playbook: use a passkey. “Skip the hassle of remembering passwords by setting up payment passkeys,” Mastercard advised. Just like a password manager these strengthen your security posture without adding usability hurdles, in fact, they make it easier to be more secure.
“Passkeys use the biometric authentication already on your device (like your face or fingerprint) to log in to a merchant profile,” Mastercard said. Passkeys are, essentially, strong by default, phishing and social-engineering resistant as well as being effortless to both create and use. The only question you need to ask yourself is why you haven’t replaced your passwords with passkeys yet?.
