About two years ago, The US National Institute of Standards and Technology (NIST) published its four volume Digital Identity Guidelines which among other things made three important recommendations to passwords rules. The UK National Cyber Security Centre (NCSC) also published something similar. The summary of their recommendations is as follows:
- End password complexity policy
- End password expiration policy
- Encourage use of password managers
With the exponential growth in the number of online services and applications, it’s obvious each and every one of us have a growing number of online usernames and passwords that we must remember. Some of us have over 50 of them to deal with regularly. Remembering these passwords coupled with all the complexity and expiration rules is a huge burden for users. But it seems not much has changed in the industry despite these recommendations. Organizations and security standards like PCI-DSS (used by banks and payment companies) continue to promote these outdated practices simply because that’s how it has always been done. In the words of Bruce Schneier, “usable security doesn’t mean ‘getting people to do what we want.’ It means creating security that works, given (or despite) what people do”. We need to step up and admit that we have a password problem. Let’s take a deeper look at these outdated practices.
Password Complexity Rules
Password complexity rules is one of the most burdensome behaviors the security industry has imposed on users. Users are usually required to provide unique complex passwords, minimum of 8 characters, one upper case, one lower case, one number, and one symbol for every account or online service they sign up. So you end up with something like “Adm1n1str@t0r!” or “[sK8|a_C%Ef9]”. After creating this complex password, they are advised to never write it down or reuse it somewhere else. Yes, that’s fine! But in reality that seems like an uphill task for many. Bill Burr, the man who invented those standards back in 2003 has himself admitted that they are basically useless today. The problem wasn’t that Burr was advising people to make passwords that are inherently easy to crack, but that his advice steered everyday computer users toward lazy mistakes and easy-to-predict practices.
While complexity rules make passwords seem secure on the surface, the issue is that most people usually adhere to certain patterns when creating them. These patterns are well known to criminals. Time and again research has shown that users have difficulty remembering those complex passwords, so they end up writing or saving it in places that are easy for an intruder to find, which defeats the whole goal of security in the first place. If a user manages to create a complex password, the next challenge begins: remembering the password, difficulty entering the correct password especially when numbers and special characters are involved, and you don’t even see what you type. So errors are pretty likely, hence one of the most often pressed button on each website is the “I forgot my password “button to reset the password, and the cycle continues.
Security experts all agree that the use of passphrase and password managers is the way to go. Passphrases are easier to remember and difficult to crack. Length, not complexity, is the new entropy. How can you possibly remember all the many passwords you have to deal with every day without a password manager? It is the best way to cope with unique password requirements.
Password Expiration Rules
Password expiration policy which forces users to change their password every 90 days or so is an outdated practice. This practice was hinged on the fact that it would take 90 days to crack the average password hash. But todays’ enormous computing power makes this policy irrelevant. Passwords that would have taken a hacker 90 days to crack twenty years ago now takes seconds or hours. Regular password change doesn’t do anything to actually secure you, it only makes you feel secure. With a just a few Dollars, you can obtain a password cracking tool that can decode an 8-character password—no matter how many capital letters or special characters are involved. These tools coupled with high computing power, have been used by hackers to expose millions of passwords after a breach.
If you keep forcing people to change their passwords in your workplace, they are going to come up with some methods that makes it easy for them to remember, such as incrementing that letter or number at the end of their password in a predictable pattern. We all know this, and the criminals know it too.
Don’t make people change their passwords unless there’s indication of compromise. With tools like Have I Been Pwned and Google’s Password Checkup browser extension, you can easily tell if your password is among breached passwords. If you have high risk account you need to secure, use Multi-Factor Authentication (MFA). This is one of the simplest, most effective ways to secure any authentication requirements