I'm a password expert - this game shows the absurdity of common guidelines

screenshot of the password game in browser
(Image credit: Future)

A new browser game - simply called The Password Game - reflects the challenges of coming up with strong passwords that satisfy the stringent criteria many services place on users to secure their accounts. 

The aim of the game is to create a password that meet certain rules. These are added one by one, and become evermore ridiculous, up until the point you'll be using emojis, doing a bit of geo-guessing and solving the day's Wordle puzzle.

It's not really a game that's meant to be completed, with the series of rules often contradicting and clashing with one another till you're going round in circles. To be honest, I'm not sure if it even can be finished - or if so, how close I came, as I gave up when a previous rule looped back for a third time. 

But what the game does do is satirize the sometimes nonsensical requirements organizations place upon users when creating their account passwords. It may be a little dated, given the fact that today, there are plenty of password managers and password generators to take care of the task for you, but the game can still give you pause for thought on the culture of password usage. 

Rules upon rules

The game starts by merely asking you to create a password. The first rule is that it has to be at least five characters, which you might have already done with your first try, in which case its on to rule two: it must include a number. Rule three is the inclusion of an uppercase letter, and rule four a special character.

So far, so familiar - but then things take a turn. The next rule is that all digits in the password must add up to 25. From here, they only get more laughable, such as the inclusion of today's Wordle answer, and the insertion of an emoji that illustrates the current phase of the moon. 

The real kicker is that satisfying one rule can mean previous ones are contravened, and so they reappear in order for you to rectify any clashes. For instance, at one point you're asked to include a CAPTCHA code shown that includes digits, which means you'll contravene rule five (all digits must total 25).

When this particular came back to me a third time, that is when I called it a day and realized this game probably doesn't want me to win.

Best guidance?

No doubt we're all familiar with the frustrations of having to include special characters and the like when creating passwords. These requirements can be traced back to Bill Burr, a researcher who literally wrote the manual on password best practice, published by the US National Institute of Standards and Technology (NIST) in 2003. Since then, virtually everyone adopted it as the de facto standard for the password creation. 

In it, he recommended that people create passwords that integrate numbers, uppercase and special characters, and change them every ninety days. The problem with this is that it leads to lazy and weak passwords in practice. As I'm sure we're all guilty of, we'll tend to an easy number like 1, and change it to 2 when updating or reusing the password for another service.

These are easy for hackers to guess, even if you fulfil the criteria of having numbers and certain characters present - because we want them to be easy to remember. But the real irony is is that they're not, because we lose track of which numbers we used for what service and when. 

All this means we are left in the worst possible situation: passwords that are easy to crack, but hard to remember.

Burr came to regret this advice many years later, and now the current advice is that if you are going to create your own passwords and commit them to memory, then choosing a string of three random words is better. Not only are you more likely to remember it, but it will also be much harder for computers to crack via brute force. 

Password managers and passkeys

All this might be moot, however, as password managers can create and store strong and unique passwords for every one of your accounts, so you don't have to remember a thing. 

However, you will still need to have a master password to lock your vault, so you better make sure this is a strong one. 

Also, with the advent of multi-factor authentication (MFA), there is now an extra layer  of security to your credentials, as it aims to prevent others from accessing your account without your knowledge by requiring authorization via a secondary device - typically your smartphone. So even if your password falls into the hands of a hacker, they would still need access to your smart device to gain access to your account. 

At least, that is the hope: there have been reports of MFA protocols being woefully inadequate, and those that require authentication via SMS messaging are more vulnerable to attack than those that use dedicated authenticator apps, thanks to sim spoofing, where criminals can copy your number to their device and receive all your communications. 

But beyond passwords and MFA, we are now entering the new era of passkeys - the technology that allows you to log in to your accounts without any password at all. Nothing has to be remembered - all you have to do is use your biometric data or PIN that you have saved on your device. 

Not only is this more convenient, but many also claim it is much more secure as the private portion of the key is phishing resistant. This is stored on your device and no one knows what it is - not even the user. And given that phishing attacks can be incredibly successful at breaching companies of any size, you can see their point. 

However, some experts are a little more skeptical. When we spoke to veteran security expert Roger Grimes, he was concerned about how big tech companies are using passkeys to lock users into their respective platforms as they can't be transferred over, and that support for them is very limited - currently, the most prominent services that support them are Apple, Google, Microsoft, PayPal, eBay and BestBuy.

Many password managers are starting to support them too, but Grimes thinks that overall, passwords are not dying out anytime soon, and will be with us for at least another decade. 

If that is the case, then we best make sure we use a good password manager and enable MFA where possible. And if we are going to create our own, then three random words is a better and easier method - and thankfully no one is asking us to include the current phase of the moon.

Lewis Maddison
Staff Writer

Lewis Maddison is a Staff Writer at TechRadar Pro. His area of expertise is online security and protection, which includes tools and software such as password managers. 

His coverage also focuses on the usage habits of technology in both personal and professional settings - particularly its relation to social and cultural issues - and revels in uncovering stories that might not otherwise see the light of day.

He has a BA in Philosophy from the University of London, with a year spent studying abroad in the sunny climes of Malta.