Upon analysis of the many "mega-breaches" that emerged in 2016 – including Dropbox, Yahoo and MySpace – it quickly became clear internet users were still applying shockingly weak passwords on their accounts. Now, researchers believe they have come up with the ultimate fix.
This week (8 May), experts from Carnegie Mellon University and the University of Chicago revealed a new type of password meter that relies on a sophisticated neural network to provide real-time advice about how better to protect your accounts from cybercriminals.
The meter works by employing a complex map of information that is able to "learn" by scanning millions of existing passwords and identifying trends.
If it detects one that hackers will easily guess, it will let you know and provide tips to make it better.
"Instead of just having a meter say, 'your password is bad,' we thought it would be useful for the meter to say, 'here's why it's bad and here's how you could do better,'" explained Carnegie Mellon engineering professor Nicolas Christin, a co-author of the study.
This feedback is given in real-time, as a user is typing their password out letter-by-letter, and was tested on a sample of 4,509 people, the experts said in a release.
The research teams have open-sourced the meter on GitHub and a demo is now available online.
"The key result is that providing the data-driven feedback actually makes a huge difference in security compared to just having a password labelled as weak or strong," said Blase Ur, lead author on the study and professor at the University of Chicago's computer science department.
He continued: "Our new meter led users to create stronger passwords that were no harder to remember than passwords created without the feedback.
"The way attackers guess passwords is by exploiting the patterns that they observe in large datasets of breached passwords. For example, if you change Es to 3s in your password, that's not going to fool an attacker. The meter will explain about how prevalent that substitution is.
"There's a lot of different tweaking that one could imagine doing for a specific application of the meter. We're hoping to do some of that ourselves and also engage other members of the security and privacy community to help contribute to the meter."
When tested by IBTimes UK, the tool offered a number of strategies for enhancing passwords, including not reusing the same phrases on other accounts, making them at least 12 characters in length and ensuring they are a mixture of letters, numbers and symbols.
"Attackers know that people often put numbers and symbols at the end of their password and uppercase letters at the beginning. Be different! One way to make a strong password is to create a sentence that no one's ever said before," the meter added.