Do “strong” passwords give good security?
The password has an almost mythical place in our lives. It is an unusual person who does not use a password at some point in their day. They are the key to many things we do online. Yet, we are at the end of our tether with the humble password, as password fatigue sets in and we take on a blasé approach to passwords. In research carried out by the Pew, Research Center they found that 86% of users memorise passwords in their head and 49% write them down on paper. And, a study by LastPass found that the average person is keeping track of 191 passwords.
People and passwords are not ideal partners. And, as a result, the password has become the weakest link in the security chain – according to Verizon, 81% of data breaches happen because of stolen or weak passwords.
The problem is this – passwords are handy. People are used to them, the interface to use them is well-known from a UI design point of view. The backend protection (hashing and encryption) of passwords in storage, is covered. Yet still, lost or stolen credentials are the number 1 way that breaches happen.
This article will look at why the common password has become such a hit with the cybercriminal and what you can do to help improve password hygiene and achieve best password practice.
Password Policies and Other Myths
Myth 1: The password policy
In the beginning, it was all about the password policy. You’ll have seen this requirement on websites, where you’re asked to enter a password using a rule – also known as a ‘password policy’. It’ll go something like this: “Enter a password, it MUST contain 8 characters, including a capital letter, number, and special character” (special character being something like a ! or a $). It is an annoying practise isn’t it? But, it is also a dangerous one too.
By showing the rules of how a password is constructed you are also giving cybercriminals the heads up. They can then finely tune their brute force attack tools with the rules of the game and bingo, they have your password.
Myth 2: The longer the password the better
Mystical unknown forces ruled that long passwords were good. They aren’t. They, instead, create a false sense of security. If a user is forced to create a long, complicated password, including with multiple character types, they are less likely to remember it. Either they will write it down (as with the 49% of Pew respondents) or they will have to rely on a password recovery system.
The former opening a potential security leak.
Myth 3: Force users to change their passwords regularly
This old chestnut is a left over from when the world was simpler, and enterprises had perimeter walls. As those walls became ever fuzzier and consultants, consumers, and other business associates began to access your Cloud apps and web apps, remotely. Then, the idea of forcing password updates became, not only pointless but downright annoying and even insecure. The problem stems from human behaviour. Human beings have a very bad habit of trying to reduce workload. Various studies have found that if you force a password change, all that happens is that the user chooses something that is similar to the old one, e.g. password 1 is changed to password11 – otherwise they can’t remember the password.
The National Cyber Security Centre (NCSC) carried out a study on this behaviour and found that forcing password changes on a regular basis created security issues.
Best Practices to Keep Your Password Working for You
It looks like passwords are here to stay so we have to use robust strategies to make sure our passwords are optimised. Here are some of the best practises we can use to reduce password fatigue, whilst keeping them as secure as possible.
# Best Practise 1: Three little birds
Two official bodies, the UK’s NCSC and the U.S. National Institute of Standards and Technology (NIST) have updated their advisories on what constitutes a strong password. They now advise on using a ‘passphrase’ rather than a single password. We recommend using three random words as your passphrase/password.
# Best Practise 2: Double up
Even the strongest password is no defence against a phishing scam. You could have a password that has 100 characters, but if you click on a spoof link and enter your password – you’ve just had your password stolen. If it is available, always, always, use a second-factor, like a mobile code. But also note, that even a second factor, under certain conditions, can have vulnerabilities.
# Best Practise 3: Vive la difference
One of the issues found during research into passwords by the likes of the NCSC is that users tend towards password reuse. That is, users will use the same password for several accounts. This fits in with expected human behaviour – it is hard to remember loads of passwords. The advice is to use a unique password for each account – this is even more important for accounts of high value, for example, bank accounts or business apps that contain sensitive data.
One way to manage a multitude of unique passwords is by using a password manager/password vault. Password vaults allow you to store all of your passwords in one place. When you log into an account the password manager automatically picks the right password for login. Some also generate a strong password on your behalf, if so required.
Passwords for Creatures of Habit
For a cybercriminal, credential theft is their day job. They live, eat, and sleep, ways to steal your login credentials. They use every trick in the book to get at passwords, including phishing emails to trick you into entering a password into a spoof site, and simple guesswork. The latter works because human beings are creatures of habit and we tend to pick easily guessable passwords. The former works because cybercriminals know how to manipulate behaviour. Strong passwords are a very good idea and should be used, but we also have to understand what we are up against and how to change our behaviour, so we do not give cybercrime an easy ride.
Information is Beautiful use data to visualise many areas of our work and lives -check out their chart “Top 500 Passwords: Is Yours Here?” https://informationisbeautiful.net/visualizations/top-500-passwords-visualized/
Have I Been Pwned is a site run by security guru, Troy Hunt – check to see if you have had any of your online accounts compromised: https://haveibeenpwned.com
Dashlane offers a password strength checker: https://howsecureismypassword.net