Some people wonder if we should still include special characters in our passwords.
Here’s the scoop . . .
The presence of special characters in passwords makes passwords more secure.
But the presence of predictability in passwords makes passwords less secure.
When a website tells ordinary consumers “Include a special character in your password,” consumers typically respond to that advice by adding something very predictable to their password.
Because what the consumer has done is predictable, it doesn’t add any security to their passwords, and can even provide users with a false sense of security.
In contrast, adding special characters to your password in an unpredictable way definitely makes your password more secure, because — for the bad guys — your password is far more difficult to guess.
Let’s assume the 14 characters of this 4-class password have been chosen in an unpredictable way:
r8:W3=7uU0VpcS
1.) Would you consider this password to be strong/secure?
2.) Does the presence of special characters in this password make it less strong/secure?
3.) If we removed the two special characters from this password, and replaced them with other characters unpredictably chosen, would the password be more strong/secure?
The answers are:
1.) Yes
2.) No
3.) No
If there was anything “wrong” about a password that looks like r8:W3=7uU0VpcS, then password managers wouldn’t create millions of them every day.
Why would we recommend the use of password managers if we had any concerns about unpredictably generated passwords that look like the one above?
In fact, the National Security Agency (NSA) in February of 2022 recommended the use of special characters in passwords.
And in May of 2022, Microsoft Authenticator added a new Password Generator which allows its 75 million users to create strong, unique passwords with different combinations of numbers and special characters.
So, the issue isn’t about special characters, it’s about the dynamics of giving advice.
The concern over password complexity rules perfectly highlights the predictability of human nature and the weakness of most website’s go-to default strategy of “drive-by advice giving.”
Simply dispensing advice and leaving ordinary consumers without the tools they need to accomplish the task — leaving consumers on their own to figure it all out — doesn’t work anywhere near well enough.
This is why we founded Loistava Information Security.
This is why we develop physical information security products — fun, colorful products ordinary consumers can relate to and enjoy using.
By default, right out of the box, CASTALOT™ Dice allow the user to create 14-character, 4-class passwords which contain two special characters, including spaces.
The “formula” for the user’s passwords is completely up to them. If they want to make their new, modern passwords even stronger — they simply roll a few more dice.
The Era Of Memorizing Passwords In Bulk To Log In To Online Accounts?
That Era is over.
So the user either writes down and securely stores their new modern password, or they type it into their password manager just once.
Here is a link to the CASTALOT™ Dice landing page: www.CastalotDice.com
4-class password is a term used by password researchers to describe a password composed of four “classes” of characters: upper case letters are one class, lower case another, numbers a third class and special characters are the fourth class of characters.
— Anthony Collette