password, keyword, codeword-866977.jpg

Source of feature requirements

1. Websites‘ password requirements :

From the requirements of many websites, we conclude the rules listed below:

  • mixed letters+digits+special symbols/length (no less than eight characters)

  • 4PIN or 6PIN

  • Exclude repeat characters, continuous characters

  • Choosing specific symbols freely

Let’s have a close look at these rules one by one.

Mixed letters+digits+special symbols/length (no less than 8 characters)

Let’s first look at the password requirements for some popular websites. Take Google, Apple, Facebook, and Microsoft as examples.

Based on these rules, it is evident that most websites in daily life require a combination of letters (uppercase and lowercase letters), numbers, and symbols. And the length of the password should be eight or longer.

4PIN or 6PIN

Some websites only need four digits or six digits. IHG asked for passwords only with 4 digits. IPhone suggests users set up the lock screen passwords with six digits. Therefore, it is also vital for password generators to create passwords like these.

Exclude repeat characters, continuous characters

Some websites are restricted to letters and numbers. ME Bank only allowed using numbers, and there are requirements for the arrangement of numbers, like not having the same number three times in a row or the descending or ascending numbers, etc. BDO users need to avoid using consecutive characters such (ex. abc, DEF, 678). This feature, excluding repeat characters or continuous repeat characters in password generators, helps users have suitable passwords effectively.

Choosing specific symbols freely

Most websites require and accept passwords with special characters, which refer to punctuation characters found on standard US keyboards.

There is a difference in the requirements of special characters among different websites. Some websites like Bank of America require users can only use some special characters like ( @#()+={}/?~;,.-_#* ), while some websites forbid users to use some special characters, like BDO, a website requiring users to avoid characters such as !#$%^&’;”. More examples can be seen here.

Yet, not all the password generators allowed users to choose special characters freely and it brings trouble to users.

(The screenshot is from here)

Therefore it is essential to let users choose symbols freely.

2. Experts suggestions

Besides meeting the requirements, how could we improve the security of the password? To answer this question, we have checked suggestions by several well-known institutions or experts and listed some guidelines below.

(1) 12 or more

Password length should be 12 or more by default, which was suggested here, although many websites require passwords of at least eight characters.

Richard Boyd, a senior researcher at Georgia Tech Research Institute(GTRI), stated that 8-character passwords are no longer sufficient(see details in Teraflop Troubles: The Power of Graphics Processing Units May Threaten the World’s Password Security System ). And it can be quickly cracked if you limit your characters to alphabetic letters. Meanwhile, increasing security experts encourage users to have passwords with 12 characters or more for security. Joshua Davis, a research scientist at GTRI, claimed that any password less than 12 characters long might be vulnerable(see details here). SSH, a European Defensive Cybersecurity trailblazer, suggested that a good password should be 12 to 14 characters long.

Considering the website’s requirements (password length should be eight or more), a password with 12 characters can satisfy the website requirements and strengthen the passwords. Therefore, the password length should be 12 or more for security.

(2) Try to use a combination of mixed letters, numbers, and special characters

National Institute of Standards and Technology (NIST)

In 2004, The United States Department of Commerce’s National Institute of Standards and Technology (NIST) [2]recommended individuals capitalize irregularly, utilize special characters, and include at least one number. Most systems adhered to this suggestion, which was “baked into” some requirements that companies had to meet. Password generators should be able to generate passwords with letters( a combination of mixed letters), numbers, and special characters. In other words, it allowed users to decide the composition of passwords.

(3) Changing Passwords Regularly

Security experts have different opinions on experts’ advice about changing passwords regularly. EJ Phillips, an advocate of regularly changing passwords, argued in Benefits of Changing Your Password Regularly (proactive-info.com) that changing passwords prevented not only constant access but also bad guys from using the saved password in users’ old or missed digital devices. In contrast, experts like Nick Statt pointed out that frequent modifications pushed users toward lazy, easy-to-predict practices in Best practices for passwords updated after the original author regrets his advice – The Verge. This problem was not caused by the frequent modifications but by the vulnerable password that users change. Some people might add one 1digit or one special character to the formal password for convenience, which might be a potential risk of password leaking. The password we have used for a long time might have been leaked for various reasons. Some bad guys might steal your password via malicious websites(see more in Benefits of Changing Your Password Regularly).

After all, it was dangerous to use the same password forever. It would be helpful if password managers provided services to help users to change passwords regularly. This suggestion was not seen as one of the review features since it was still controversial. To help users looking for this feature, our suggestion: Zero Password manager.

(4) Choosing emojis in passwords

National Institute of Standards and Technology (NIST)
Meanwhile, NIST in 2020 suggested users should involve Unicode characters like emojis in passwords. Research by Schaub shows that emojis make passwords more entertaining and safe. Including emojis in passwords increases the character set from about 100 to tens of thousands. It is challenging for hackers to crack. However, most password managers do not offer emojis in password generation. Password managers like Nordpass thought it terrible to have emojis since it takes time for different operating systems to represent emojis the same way. Thus cross-platforming will always provide a risk until emojis are standardized. Therefore, using emojis is also not seen as one of our essential features.

(5) Adds password strength measurement

The Open Web Application Security Project®( OWASP ) suggested adding password strength measurement. This feature helped users create complex passwords and block common and previously compromised passwords. It helps remind users to use strong passwords. Therefore it is seen as one of the review features.

3. User needs

Besides generating suitable and secure passwords, providing users with good user experiences is also necessary. It should be easy for users to use password generators.

To achieve this goal, password generators should have a nice design. For example,

  • Clear instruction ( so users did not need time to learn how to use it)

Needs of Passphrase

Passphrases were also popular among users. What is a Passphrase? It is a sentence-like string of words that is longer than a traditional password, easy to remember, and difficult to crack.

People choose passphrases rather than passwords for different reasons. The article, Password Vs Passphrase: Here’s 5 Reasons to Use Passphrase (passworddragon.com), listed five main reasons. For example, it is easier to remember, difficult to be hacked, supported by major OS and applications, etc. Besides, the FBI strongly suggested adopting passphrases as an official policy to improve security and protect sensitive data (see details in Cybersecurity Tips: Passphrase vs Password ).

Due to these reasons, passphrases were getting popular among users. It would be more convenient if the password generators could help them generate passphrases. We would also check whether these password generators can generate passphrases in the feature review.

About avoiding ambiguous characters

No websites require users to avoid using ambiguous characters in passwords since websites can easily recognize characters like 0(zero), Oo(oh), 1(one), I(capital i), and l(ell). But these characters confuse users in some fonts. For example, it is pretty hard for users to distinguish the l(ell) from I(capital i) of the password in the picture below. It would put users in trouble when they have to type the passwords manually.

Some users prefer to exclude these ambiguous characters from passwords to avoid this. It would be helpful if the password generators could exclude ambiguous characters; thus, it was selected as one of the reviewing features.

“Please give us an option to prevent characters like “l” vs. “1”, “O” vs. “0”, to be used in our passwords…? “see more here.

After checking some password generators’ definitions of ambiguous characters, 0(zero) and Oo(oh), 1(one) and I (uppercase i), l (lowercase L), and|(special symbol ) are regarded as ambiguous characters.

Conclusion

Overall, there are nine review features. And we would focus on whether these password generators have these features as well as its usability.

  1. Can decide the composition of passwords

  2. The default length should be 12 or more

  3. Can generate four digits or six digits password

  4. Can use, and even choose special characters

  5. Can exclude repeating characters, continuous repeat characters

  6. Password strength measurements

  7. Avoid ambiguous characters

  8. Can generate passphrase

  9. Intuitive user interface