Editing Password cracking (section)

==Easy to remember, hard to guess==
Passwords that are difficult to remember will reduce the security of a system because:
*users might need to write down or electronically store the password using an insecure method,
*users will need frequent password resets, and
*users are more likely to re-use the same password.

Similarly, the more stringent the requirements for password strength, e.g. "have a mix of uppercase and lowercase letters and digits" or "change it monthly", the greater the degree to which users will subvert the system.<ref>[https://web.archive.org/web/20110126220702/http://all.net/journal/netsec/1997-09.html Managing Network Security]. Fred Cohen & Associates. All.net. Retrieved on January 31, 2013.</ref>

In "The Memorability and Security of Passwords",<ref>{{cite journal |url=https://prof-jeffyan.github.io/jyan_ieee_pwd.pdf |title=Password Memorability and Security: Empirical Results |doi=10.1109/MSP.2004.81 |year=2004 |last1=Yan |first1=J. |last2=Blackwell |first2=A. |last3=Anderson |first3=R. |last4=Grant |first4=A. |journal=IEEE Security & Privacy Magazine |volume=2 |issue=5 |pages=25 |s2cid=206485325}}</ref> Jeff Yan ''et al.'' examine the effect of advice given to users about a good choice of password. They found that passwords based on thinking of a phrase and taking the first letter of each word are just as memorable as naively selected passwords, and just as hard to crack as randomly generated passwords. Combining two unrelated words is another good method. Having a personally designed "[[algorithm]]" for generating obscure passwords is another good method.

However, asking users to remember a password consisting of a "mix of uppercase and lowercase characters" is similar to asking them to remember a sequence of bits: hard to remember, and only a little bit harder to crack (e.g. only 128 times harder to crack for 7-letter passwords, less if the user simply capitalizes one of the letters). Asking users to use "both letters and digits" will often lead to easy-to-guess substitutions such as 'E' → '3' and 'I' → '1': substitutions which are well known to attackers. Similarly, typing the password one keyboard row higher is a common trick known to attackers.

Research detailed in an April 2015 paper by several professors at [[Carnegie Mellon University]] shows that people's choices of password structure often follow several known patterns. For example, when password requirements require a long minimum length such as 16 characters, people tend to repeat characters or even entire words within their passwords.<ref name="Steinberg">{{cite news |title=New Technology Cracks 'Strong' Passwords – What You Need To Know |url=https://www.forbes.com/sites/josephsteinberg/2015/04/21/new-technology-cracks-long-complex-passwords-what-you-need-to-know/ |work=Forbes |first=Joseph |last=Steinberg |date=April 21, 2015}}</ref> As a result, passwords may be much more easily cracked than their mathematical probabilities would otherwise indicate. Passwords containing one digit, for example, disproportionately include it at the end of the password.<ref name="Steinberg"/>