Passwords and codes have been a mainstay of security since the dawn of time. Codes to allow you entry to the castle, to prove which side you’re fighting for, to establish membership of your gang at school or to exchange messages with your first loves. Aah. In the modern era, they’ve come to be used to protect access to everything from your take-away account to your fitness tracker, your email, and your money.
Now, before you all cry out: there are undoubtedly modern improvements for strong authentication – multi-factor authentication, biometrics, one-time passwords and password-less access can all reduce the risk of a malicious actor finding a static password and gaining access to your systems – and these should be implemented – however, passwords are NOT going away just yet in many cases.
SO, WHAT DO WE DO?
The big problem is we’re human; we like things to be simple and, we have picked up some misguided ideas about the protection we think we need.
Here are a few common thought processes:
- “Only I know all my family’s birthdays /house numbers /middle names / pets names /first schools /honeymoon destination”. No, Facebook knows; better assume everyone knows.
- “It looks complex to me” or “What? It’s different from last time…” No, the computer doesn’t care if you substitute letters for numbers – in fact, it doesn’t care whether your password has any meaning at all. It is going to rattle through 100 million combinations a second – just like you did when you cracked into your brother’s three-digit combination lock as a kid, only a lot, lot, lot faster!
- “This system doesn’t have anything important in it anyway” or “I don’t care if someone cracks it: I just want to order my pizza.”
It’s funny, but there’s an important point here: we have too many passwords – we’re asked to create them for almost everything, leading to one of the biggest problems; theme and variation.
- In addition, there has been accepted wisdom around password policies which unfortunately, have led to some of these behaviours above. For example:
- “I’ll just add 1 to the number I used last. If only I could remember which number I’d got to – maybe I’ll use the year or something…” What we’re effectively doing here is introducing a repeatable pattern into the password format; very similar to adding just one letter to the alphabet – but the killer blow is this effectively reduces the length of your password by the length of your pattern.
- If you have an eight-character password with seven digits repeated from last time, your new password’s effective ength is 2!! You may as well publish it on Twitter.
- “Recognisable words are bad. Adding letters and numbers makes them stronger.” See above. Computers don’t care what characters you use – it’s all the same to them. What computers do care about is how long the password is – and this is crucial. We’ll explore this further below.
- “Having lots of passwords you can remember is better than having a few (good ones).” And “Don’t save your passwords.”. This is a double whammy because the big problem here is a human one: we don’t remember good passwords; we remember patterns. If we force people to maintain many passwords, naturally they’re going to use repeating patterns to remember or write them down. By writing them down we… you see the problem?
So, much of the received wisdom about passwords quickly fall under scrutiny as you can see. In reality, only a few things make any difference:
- Size matters – the longer the password, the better. I’ll leave you to do the maths but even if we only think of using 52 (upper and lower case) characters in the English alphabet, then going from 8 characters to 10 characters in your password increases the strength by 1,000 times. Adding another two characters (12) is literally a million times better than an 8-character password. By contrast, adding complex characters (20 numbers and symbols) increases the strength of an 8-character password by only 13 times.
- Don’t use common patterns or metadata – if you use common terms in your passwords -(however long they are) then you may as well think of each of these terms as simply representing one single letter. This reduces the effective length of the password and does not significantly increase the strength.
- Uniqueness matters – for even more reasons, as we’ll see below.
One thing we have not addressed is the proliferation of passwords. They’re everywhere and this makes us lazy. We do not ascribe as much importance to our takeaway ordering service as we do to our bank, but research says we’re likely to use the same password. And while the bank may use additional authentication mechanisms to reinforce your password, the takeaway likely will not.
So, what can we do to reduce this risk? Research says there are two things:
- Using unified authentication mechanisms – using a robust login mechanism across multiple services means you do not need so many passwords and, if you do need to change the password, you do it only once. So, if you’re offered authentication using an existing authentication service, and you trust it, then use it.
- Use a password manager – you may say: “but isn’t this just as bad as writing them down?”. The answer is no. A good password manager can:
a. protect your passwords by using one of your trusted authentication mechanisms
b. reduce the need for you to remember and reuse passwords
c. encourage you to select strong, unique passwords by generating them for you
d. assist you in logging in more securely to services which require passwords
e. check your credentials against known compromises and prompt you to change those which are affected
Now some of this may seem counterintuitive but let it sink in -the fewer passwords we need and the less human contact we have with them, the better.
LOCKING IT ALL TOGETHER
We’ve established that:
- Longer passwords are more effective
- Complex passwords are not
- Common patterns in passwords reduce the effective length making them weaker
- Changing password regularly encourages risky behaviour
- Monitoring behaviour patterns to detect risks and potential compromises is a good strategy
- Forcing regular password changes does not increase security
- The fewer passwords, the better
Advice For Admins
- Require at least a 12-digit password, but
- Do not require complexity. Encourage colleagues to use memorable phrases instead
- Check for common patterns when users create passwords – these significantly reduce the effective length of a password and, therefore, the strength
- Do NOT force periodic changes – it encourages patterns. A strong and stable password is better
- Force changes on security events – Enable identity protection, watch for suspicious behaviour, check against known compromises. If you (or your tools) think a password may have been compromised, require additional authentication, and force a password change
- Enforce uniqueness. If you are only forcing passwords to change when you have cause for concern, then there is no excuse for users to repeat a password
- Enable modern authentication and establish trust through context, devices, behaviour – this is much more robust than having someone enter their password manually several times per day
Advice for Users
1. Rather than using short, visually complex passwords, think of a memorable phrase made up of 2 words or more – it doesn’t matter how simple it is for you to remember; it’s the number of characters which counts
2. Don’t include any words or patterns which are associated with your identity or those around you;
a. avoid people, company and place names, ID numbers or job related information
b. avoid repeating characters, words or patterns
3. Use a password manager – let it suggest good passwords, let it store them for you but make sure you take the security around the password manager seriously
And a final thought – don’t delay. The measures discussed here may look overwhelming, but many make the end-user experience SIMPLER rather than more challenging, so they will thank you for implementing them.
All the major platform vendors and identity providers have their own feature sets to support these measures so start to look for areas where you can improve identity management and protection, detect risks, enable and encourage better password behaviour and chip away at the problem little by little. You can do it!