CybersecurityMaking passwords more secure – especially for mobile devices

Published 28 June 2016

Passwords are a necessary evil, indispensable for the purpose of ensuring data confidentiality. Unfortunately, the most secure passwords are also the ones that are most difficult to memorize. “Nobody likes passwords. In order to make their lives easier, many people use the same password for different accounts, or they choose passwords that are so easy to guess that they don’t provide sufficient protection,” said one researchers.

Passwords are a necessary evil, indispensable for the purpose of ensuring data confidentiality. Unfortunately, the most secure passwords are also the ones that are most difficult to memorize.

Prof. Dr. Markus Dürmuth from the research group Mobile Security is familiar with the problem: “Nobody likes passwords. In order to make their lives easier, many people use the same password for different accounts, or they choose passwords that are so easy to guess that they don’t provide sufficient protection.”

Dürmuth researches into a host of methods. His work focuses mainly on passwords for mobile devices. Here, entering passwords is a fairly laborious task. A wrong number is easily typed on the small screen. Moreover, numeric symbols are hidden on the secondary and tertiary keyboard.

RUB notes that the latest Android smartphones offer the option to choose graphic passwords. This alternative, at least, makes unlocking the device much easier. Smartphone users draw a line with their finger across the screen to connect some of the displayed dots. For a long time, the security level of this method had not been fully verified. The number of potential passwords was used as benchmark in many studies.

In a three-times-three field, there are as much as 389,112 possibilities, assuming that each dot can only be used once and that the password is made up of between four and nine dots. In a traditional PIN which has to be typed in by the user the number of combinations that are theoretically possible is much smaller; for a three-digit PIN, it amounts to merely 1,000, for a four-digit one to 10,000.

In the real world, users of mobile devices do not take full advantage of the possibilities for creating a secure password. In order to memorize it more easily, they keep using the same pattern, as Markus Dürmuth and his colleagues found out in an experiment. They asked 400 students in the Ruhr-Universität Mensa to come up with a graphic password for unlocking a smartphone. In order to generate results that are as realistic as possible, the researchers made some stipulations: the test participants had to memorize the password while they were at lunch. Other people were given the chance to break the code during that space of time. Consequently, the digit sequence had to be simple enough to memorize, yet difficult enough to prevent third parties from guessing it.