People and Passwords

In today's world, the Internet is a vast place filled with websites, services, and other content. Most content along with computers and other technology requires a password. The number of passwords a person has to know continues to grow. While it’s safe to say we use passwords to keep our accounts confidential, they can also be very frustrating and inconvenient to create and remember. The outcome is the use of simple, common passwords, same password on different accounts, and habits such as writing passwords.

Weak passwords are common

For example, reports from Techspot.com, Fortune.com, and USAToday.com show, that in 2017, passwords like 123456 and football were two of the top ten most used passwords. Why are such passwords still being used? They are easy to remember.  People will often add weak passwords into simple variations where the alpha and number (numeric) strings combined with special characters. For instance, Football and 123456 become Football123456!, a memorable yet easily guessed password. 

Current practices require complex passwords  

Various companies have released their own best practices. Symantec’s how-to article, for instance, states a secure password is at least eight characters in length, has an uppercase, lowercase, and a number. Take [Football] for example. You can replace the “o” for a “0” and “a” for “@” resulting in F00tb@ll. Here, the updated password meets most policies enforced by many web applications such as Google and Outlook. It has an uppercase (F), a lowercase (tball), a number (00), a special character (@), and meets a minimum length of eight characters. Microsoft, however, takes this a step further in some of their guidelines. They state it must not be in the dictionary or incorporate the name of a person or computer. Guidelines such as those in place, demand a complex password. For example, W#T24.ro5*&F is complex yet painful to memorize. 

There is a problem with difficult passwords

People, out of convenience and frustration, will try to circumvent the password policies mentioned. This becomes more prevalent as the policies get stricter. It is hard enough to remember a password like W#T24.ro5*&F. By the time you’ve memorized it, the time has come to change it and you can’t repeat the last 8 passwords. So what do people do? They add or change one or two characters (i.e. W#T24.ro5*&F turns into W#T24.ro5*&F1 or W#T24.ro5*&F123 and F00tb@ll turns into F00tb@ll123 or F00tb@ll321).  While password expiration policies are arguably a best practice, they are not common outside an enterprise environment. Many websites, such as banks, do not require you to change your password regularly and those that do, might not have a decent policy on repeating passwords. This leads to the same or similar passwords used across accounts.

The same password for different accounts is dangerous

Research by LastPass states 59% of people use the same password and 47% apply the same even for work. Notably, the reuse of passwords stems from frustration and convenience. Sure, it's easier to remember one password for everything or variations of the base password, but not advised. To clarify, if an account gets compromised, it puts your other accounts at risk. 

Using Passphrases is better 

We have a hard time remembering many passwords and more so when they have to change often. Similar to starting a different job and learning coworkers' names. Then you find out 60 days later that everybody is being replaced and you now need to remember a different collection of names. It's difficult. For starters, use a passphrase that includes numbers. A passphrase is a password in usage but is longer for added security. For example, 2Cats3DogsRunFar is an easy to remember passphrase. It is a 16-character alpha-numerical password. Why add a number, aren't four or five words enough? No, because modern toolkits can crack a passphrase with four to five words. Adding a number (not just at the beginning or end), or even a space will strengthen the password while keeping it easy to memorize. NIST 800-63-3 supports the use of passphrases. Encourages users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization.

What about password managers?

At the same time, we cannot use this passphrase for other accounts. Instead, use a password manager which will accommodate for having a different password for each account. A password manager is a tool or service that will store your passwords for later use. An example of a common password manager is your browser. I will point out it is not recommended to use your browser's password manager. Some password managers offer free or inexpensive versions. LastPass and RoboForms to name a couple; EverKey, Keeper, and DashLane are pay-to-use.

Be responsible with your passwords

All things considered, having the best passwords does not mean you are 100% immune. Password hashes are stored and anything stored can be stolen. Strong passphrases make it more difficult for a malicious actor. You can use password managers to store passwords but this itself can be risky. For example, browser password managers do not require multi-factor authentication. Remember not use words or dates that can be guessed via social engineering. If a website such as a bank, offers mutli-factor authentication then enable it. Overall, passwords can be a nuisance but dealing with compromised accounts can be much worse.