Ah, the blissful days on my first programming job. We had no passwords. A cipher lock on the employee entrance was enough security. Those days are as gone as last winter’s snow days in August.
I don’t know anyone who likes passwords. The best I can say for them is that they protect computer systems better than nothing and they are relatively easy to implement. The truth is that password protected systems are breached all the time. Passwords are better than no protection, but that’s all. Breaking into a password protected system is in the league with hot wiring a 1957 Buick.
The end of passwords has been predicted for decades and the computer industry is inching closer, but I don’t see the end of passwords in sight.
Why? Because the alternatives also have flaws and most have high implementation costs. There are no sudden changes on the horizon. Any transition away from passwords will be gradual. The most likely change is more and stiffer nudges toward multi-factor authentication, the two-step process that is already insisted upon in many high risk systems. Multi-factor authentication, systems that usually involve your cellphone or email, are annoying but much more difficult to hack than a password alone.
If we are stuck with passwords, we ought to follow practices that increase security and maximize ease of use for users. Fortunately, NIST, the division of the federal Department of Homeland Security that makes recommendations for password security, has noticed that the password policies that annoy users also encourage them to work around the rules, usually in unsafe ways. The most recent recommendations are actually easier to follow than the old rules.
The old rule was to change passwords frequently. That’s out. When people are forced to change their passwords frequently, they resort to common passwords that are easy to remember, use simple spelling variations to reuse passwords, or write them down in obvious places, all of which make password theft easier, not harder.
The old rule about password complexity (a mixture of letters, numbers, symbols, and upper and lower case) is also out. Password crackers know that “$” substitutes for “s” and zero substitutes of the letter “o” and all the rest. Short complex passwords are not much more difficult to crack than an uncommon but short all lowercase password. Passwords over twelve characters are difficult to crack. Planning and executing a trip to Jupiter probably consumes fewer resources than cracking a eighteen character password that is not a common phrase.
Therefore, a long nonsense phrase that sticks in your memory is a strong password, unless the phrase is commonly used. A phrase that gets zero hits on a Google search is very safe. When you have a strong password, DHS recommends that you stick with it unless it gets compromised in some way. That long password will make you a tough customer to break.
The rest of the new guidelines are rules for processing and storing passwords that apply to programmers, not end users.
But there is another catch: password spraying. Hackers know that people tend to use the same password on multiple accounts. As soon as a bad guy gets a password, he sprays (tries) it on all your accounts. Most passwords are not cracked; they are obtained by trickery. For example, a bogus phone call from a fake IT guy asks for your password and you give it to him without thinking. The hacker then tries the stolen password and a hundred variations on your bank account within seconds. In order to limit the damage from such a mistake, never reuse the same password or an easy variant on different accounts.
Just when you thought the new guidelines made your life easy, it all falls in when you consider the hundreds of accounts you probably have.
Unless you are prodigiously organized and blessed with the memory of a crossed mother elephant, password managers are the answer: One long, strong, and memorable password for a password manager that generates and stores random passwords for all your accounts. Although they are not perfect, most people are safer with a password manager.
Choosing a password managers are a subject for another post.
One Reply to “Password Bliss”