Most likely, World Password Day passed you by with minimal, if any, fanfare. No candles were wished upon and blown out. No carols were sung. No sparklers were proudly waved. Established in 2013 and quietly celebrated the first Thursday of May ever since, if you observed World Password Day at all this month, you may have spent it much like I did: contemplating password security and reading current research on passwords and password management.
In 2017, the National Institute of Standards and Technology (NIST) updated their guidelines for creating and managing passwords, or rather, “memorized secrets,” as NIST refers to them. As discussed in a previous blog, NIST’s guidelines jibed with my own practical experience of how password security plays out in the real world. But here we are, almost three years later, and security thought leaders continue to stubbornly cling to outdated beliefs about passwords.
Despite the updates to NIST’s recommendations, three annoying misconceptions about password security continue to linger, like a bad smell in the fridge even after you’ve thrown out the moldy culprit:
⃠ Passwords should be changed frequently
⃠ Passwords should adhere to complexity requirements
⃠ Never, EVER share passwords
These ideas persist for good reason: technically, passwords WOULD be more secure if they were changed frequently, super-duper complex, and carried with us to the grave...except for one pesky detail: human psychology.
BUSTED: Passwords should be changed frequently
When people are required to create password after password every 60 to 90 days, the passwords become increasingly repetitive and predictable. Sure, you might find an additional exclamation point or a capital letter tossed in, but as a general rule, humans prefer easy and memorable, to the point that most of us (as much as 99%, according to one report) are guilty of using the same password for multiple accounts. Requiring users to frequently change passwords, far from increasing security, leads instead to weaker passwords and bad habits, like storing passwords in an Excel file or on a sticky note or asking an administrative assistant to keep track of changes.
Furthermore, changing a password after a breach occurs is a little like locking your door with the robbers already in the house. By he time you and your IT department have been notified of a breach, it’s likely that the hackers have already installed a backdoor into the system, so changing your password does not prevent or mitigate damage that has already occurred; that’s what your IRP (Incident Response Plan) is for. Changing a password is a good practice only because it helps prevent OTHER criminal hackers, who’ve potentially bought your old password from a shady dark web auction, from breaking in as well.
BUSTED: Passwords should adhere to complexity requirements
While a combination of special characters, numbers, and letters does add to the security of a password, it can also make it difficult to remember. Again, the human factor: when asked to create a password with a minimum of 8 characters and include a combination of numbers and symbols, users still construct a password that they can easily recall, often based on their favorite sports team or song. Unfortunately, memorable often correlates with hackable.
In terms of hack-resistance, length trumps complexity. A long, 15 character password that includes only lowercase letters still has over 230 thousand permutations more than a complex, 8 character password, with the added benefit that longer but less complicated passwords are easier to remember. That’s why NIST suggests that rather than making arbitrary requirements for passwords, businesses should instead allow passwords with up to 64 characters and permit spaces.
Caveat: A long password is still a crappy password if it’s repetitive and predictable. 111111111111111 or abababababababa won’t cut it. Instead, consider using passPHRASES. Combining multiple random words and adding spaces can be the difference between a memorized secret that takes minutes to crack or centuries, according to this nifty website. Passphrases strike the right balance between length and memorability, especially if you use a passphrase generator.
BUSTED: Passwords should never, ever be shared
Keeping your password a secret is generally sage advice, but we all know that there are situations that come up for SMBs that necessitate sharing a password. Given that reality, it’s not particularly helpful for security experts to shake their fingers at us, admonishing, “Idiots! Don’t you know you should never share passwords?”
Instead of insisting on “never,” it’s more useful to focus on "how?" How can we share passwords securely rather than rely on more vulnerable methods, like email, text, or phone? One solution is to encourage employees to use a password manager. Some password managing systems, like Dashlane, allow users to safely share encrypted passwords, so that when a situation comes up where you need to share a password--and it will--there is a secure and reliable procedure in place.
Password managers are good for other reasons, too. The cold, hard truth is that it’s virtually impossible for humans to create and remember a strong password for each and every account we work with. Password managers, because they help users create truly random, strong, and unique passwords for every account, provide an additional layer of security.
A Realistic Approach
While more organizations are turning to multi-factor authentication and biometric authentication as ways to boost security, good ol’ “username and password” remains the standard procedure for logging in to most platforms. As long as security systems continue to rely on static password-based protection, security thought leaders need to educate organizations and consumers on how to use passwords as effectively as possible, even if that means ditching antiquated beliefs that have been proven to be impractical and unrealistic.
What can we do while we wait for members of the security community to get on board?
Utilize a password manager that can generate and store random passwords, allowing you to choose longer, more difficult-to-remember ones without having to actually remember them.
Make each password as different as possible, so that if one gets compromised it won't lead to another.
Leverage other authentication options, such as Multi-factor and 2-factor authentication, when available.
Happy belated World Password Day, to one and all!