Debunking 4 common password security myths
Yes, password length and complexity matter, but only if you apply those qualities to the proper security context.
Talking about password security is a guaranteed crowd-snoozer, a surefire way to make people shut down and tune out, but the reality is that passwords are still important. Email or social media, online banking or gaming, educational applications or online services—anything that keeps some kind of user data still depends on passwords to keep miscreants out. Attackers will continue merrily looting bank accounts and taking over online services if users don’t step up and use better passwords.
We all know the basics—don’t use “password” and don’t repeat the same password across different accounts. Turn on two-factor authentication on online accounts wherever possible—one-time passwords via SMS messages is still better than nothing. Use a password manager to track all the passwords. Unfortunately, a lot of password advice sounds reasonable, but needs context to be helpful. Following are some ubiquitous password myths, clarified.
Password myth 1: Your password needs to have mixed case, numbers and special characters
Truth: There’s a limit to how much security complex passwords can give you. Yes, “letmein” is a bad password, but “Password1,” “Abc123”, and “Passw0rd” aren’t any better, despite having mixed case and numbers. It’s always a bad idea to create passwords based on a dictionary word. Substituting some of the letters for numbers or symbols isn’t that clever or unique an idea. Password crackers know to include words like “vuln3rabl3” or “trustno1” in their lookup tables. In fact, the latter password made SplashData’s top 25 worst list of commonly used passwords back in 2014.
To be fair, using mixed case, numbers and special characters makes the password much stronger than just using lowercase. While exact figures will vary by the amount of processing power on hand, a modern computer will take two days to crack an eight-character password that is all lowercase (since there are 26^8, or 208,827,064,576 possible combinations), but a large botnet will take only 1.8 seconds. Mixed case helps slow down the cracking, and throwing in a special symbol or two bumps up the number of combinations.
All the mixed case, numbers and special characters won’t do any good if the string isn’t actually random. Consider that “1qaz2wsx” and “1q2w3e4r” showed up on SplashData’s top 25 list in 2015 and 2016, respectively. Users are trying to follow the rules, but using sequential key variations or common patterns undermines the good this rule is supposed to accomplish. Password crackers know about sequential key patterns and can look at the keyboard to find potential patterns, too.
Password myth 2: A good password must be extremely long
Truth: Longer is definitely better, but eight to twelve characters can be adequate. This myth isn’t wrong, since shorter passwords take far less time to crack, or brute-force, than longer one. The attacker trying to guess a password that’s only six-characters long is going to have far easier time than one that is eight-characters, or even ten-characters long. On a modern computer, an eight-character password that uses mixed case and numbers will take 5.88 years to crack, but just 31 minutes on a strong botnet. Increasing the password to 10 characters will take that same botnet 83 days. A 10-character password "%ZBGbv]8g?" using letters, numbers, and symbols could take 289,217 years on a computer and three years on a botnet.
You don’t even need to use symbols and numbers—a mixed-case password that is 40-characters long will take more than a thousand years to crack. Obviously, long passwords are the way to go and we need to make sure that passwords are extremely long, no matter what. (What hashing technique is being used before storing the passwords also matters, but that’s not relevant here.)
Not so fast. Let’s think about the threat model. What is the biggest problem being addressed here? If the biggest concern is that someone will break into the database and steal password hashes, then extremely long and complex passwords are definitely the way to go. But the average enterprise is most concerned about password reuse and phishing, in which case the length of the password doesn’t really matter. If the attackers have already intercepted the actual password through a phishing campaign, then it doesn’t matter if the password is eight, 20, or 50 characters. Copy and paste and the attackers are in. If users are being asked to enter 20-character passwords and don’t have password managers, then passwords are going to be reused. That’s a given.
What’s being protected? That also matters. For something that may be considered low-risk—maybe the local public library—eight-character passwords are good enough. Something that has your entire financial history? A longer password is necessary. Security is a tradeoff – you protect the most valuable accounts with Ft. Knox-level protections. Don’t reuse passwords, watch out for phishing scams, and for many accounts, eight-character passwords can be good enough. This is why NIST’s latest guidelines are fine with eight-character passwords.
There is also a side problem: Passwords are so long that it’s easier for users to just use the “Forgot password?” link and use the knowledge-based-answers to reset the password. It’s much, much easier for people to find out the name of your pet or the city you grew up in than to guess your password.
Password myth 3: Never write down passwords
Truth: It is more about how you do it. Along with using “Password1” as the password, the ultimate sin in password insecurity is writing down the password. However, it’s not always a terrible idea. “Don't write it on a sticky note and put it on your desk with the note reading ‘My new 401K password for Fidelity,’ but writing down a new, long, complex password while you burn it into your memory and keeping it in your wallet or purse for a week until you get that muscle memory of typing it isn't really a problem,” says Chet Wisniewski, a security expert with antivirus company Sophos. He also writes down important ones and stores them in a safe deposit box so that his family can “unlock our lives” in the case of an accident.
Password myth #4: Periodically mandating password changes improves security
Truth: It just makes it more likely users will select weak passwords. Requiring routine password changes was a staple of enterprise security policy until very recently. Some organizations even specify minimum password ages to prevent users from immediately switching back to the previous password, password histories to prevent re-use of passwords, and minimum number of characters to change to assure that a new password is "different enough" from a previous one. Mandatory password changes made sense when the big concern was that passwords may be leaked or exposed, and when the organization has proof that passwords were exposed, forcing a password reset is a good idea. But changing passwords just because an arbitrary number of days have passed? Not really.
The new NIST recommendations say to make password security less complex, because elaborate rules make it harder for users to do their jobs and drive up administrative and support costs for implementing and enforcing the rules. While changing passwords regularly sounds good, it makes it harder for end users to remember the latest password. They respond by reusing passwords or creating patterns that are easy to guess. (Switching from Password1, Password12, Password123, and so forth is one such pattern.)