We have all been conditioned. We have been indoctrinated through years of advice and needing to follow requirements – but perhaps we need to reconsider passwords in the Internet age?
What is wrong with password policies?
For years, we have been told that you need to have passwords that are a mixture of letters (both uppercase and lowercase) and numbers, some special characters (although not too special), and needs to be at least 8 characters long. Yes, that’s all good – but why?
- Must be longer than 8 characters? That’s LAN Manager‘s fault – if a password was 7 characters or fewer, then it was easier to crack.
- Mixture of lowercase, uppercase and numbers? If a password has only lowercase characters, then each character is only one of 26 possibilities – adding in capital letters, and numbers, increases this to 62
- Special characters, on the keyboard? This is mostly to increase entropy (disorder/complexity), but also by adding punctuation increases the available characters above 62
So, even now, there are sites that demand this sort of password policy – but some make it even worse by enforcing set password exact lengths, or restricting the choice of characters.
Forcing all users to have a password of exactly 8 characters is an obvious issue (the hacker knows this, so only attempts 8 character passwords), but also consider this – if the password must contain numbers and uppercase characters, hackers can immediately skip trying all lowercase-only passwords.
Another point that makes it easier for hackers is the reduction of characters able to be selected in the password – when systems are unable to handle Unicode / accented characters or Alt code characters, or even have heavy restrictions on characters that may be reserved by the system for delimeters. This may be because there needs to be an integration with a legacy system that does not support extended character sets, or even worse, because of a perceived requirement for a old legacy requirement. If a hacker is able to identify the backing system’s version is known not to support passwords with characters that are not on the top row of the keyboard, they can skip all the characters that are unsupported and only use accepted passwords in their hacking attempt.
What is wrong with password advice?
We have all had the advice over “bad” password choices; don’t use your social security number, your car license plate number, your pet’s name, your birthdate, spaces (because of the sound it makes), your school name, anything that can be found from your life history, etc. – these are still valid, however the risk vectors have changed.
We were often advised to substitute characters for special characters and numbers – like ! for i or @ for a – but this is bad because not only do the password crackers know these substitutions, it’s actually making our passwords shorter. Using P@ssw0rd! is less secure than password@0P! because the first combination is already in brute-force attack dictionaries.
Internal helpdesk teams are also to blame through poor example. You need to reset (or you have forgotten) your password, and so the helpdesk gives you a new password. What is the password they use? Something simple like Monday123 – not really setting a good example, is it?
We are told to never write your password down. However, I’m sure I’m not the only one who has seen a screen with a password on a post-it note – or even worse, printed with a Dymo label printer alongside the username. However, this will only be use-able by someone who is at that screen (probably why people feel justified in still doing this).
We will always need to be told not to make our passwords out of simple dictionary words or names, and people don’t follow the advice, but the way that we should structure passwords – and remembering them – has changed.
Passwords in the Internet Age
The threat source has changed.
I hear many people (individuals) who exclaim that they do not need to use two factor authentication or complex passwords, because they are not hackworthy – debts and little savings, no pictures they would not want to become public – a “who would want to hack me?” attitude. These are the same type of people who choose basic passwords, and PINs that are painfully obvious, because they don’t feel the need to protect themselves.
The attackers are now less likely to know anything about, or even care, the target they are hacking. Because of the Internet, the hackers have a much wider variety of targets – accounts across the world and from various sources. Most attempts are untargeted, attempting to access the whole system instead of an individual. They are not attempting to hack you, they are attempting to hack the system.
It is more rare now that a hacker will do their background research on you – trying to find concepts or words that might allow an insight into your thought process for coming up with passwords. Hackers want to find weak passwords, and so their success will focus on those weakest parts of the system or the weakest user.
Of course, there are still targeted hacking attacks that will target an individual because they have high levels of access – these people will still be investigated and analysed for password guessing…
The advice for passwords?
Opinions vary, just look on the Internet and there will be a variety of opinions on this – and here is mine;
- Never, ever use a simple password (like “password”, or “Monday123”) for anything, even temporarily. This will be the weak spot to your identity or accounts being compromised.
- Try to use different passwords for different systems – not the same (even variations on the same) for every site. Once one account is compromised, they will all be.
- When you can have a long password, do so – passphrases are the way to go. If you are forced to use capitals, numbers and characters, don’t just use these as simple character substitution, use them to make your password more complex or longer (like delimiters between words in your phrase).
- Educate users, and administrators, on making all passwords secure – don’t let the receptionist be your weak spot!
- For system accounts, service accounts, database accounts, anything that does not need to be remembered by a person – make it super complex, perhaps even adding in some Alt-Code characters, or accented/cyrillic / arabic / Greek unicode characters
- There is justification to write down your password – if you treat that bit of paper in the same way as you would cash or your ID. If you make a password so complex that you can’t remember it – then write it down and keep that paper OFF your screen!