What exactly is a bad password you ask? Remember the good (insecure) old days when you could just use your son’s name as your password? You didn’t even have to capitalize it.
Then they started making you add a capital letter and a number. Fine. I’m going to use this new one for all my accounts now that they are making it more difficult to remember.
Then, it had to contain at least 8 characters, with a capital letter, lowercase letter, number and a “special character”? And I have to change it every 90 days? Ugh! I can’t remember all that. I am just going to write it down on a sticky note and put it on my monitor. What is someone going to do with my unprivileged account anyway? Or wait…I have an idea.
Time to change that password again. Happy Thanksgiving!
These are all bad passwords in their own way. Maybe you think those last two aren’t so bad. In fact, if you go to security.org and use their password strength checker it will tell you that it would take a computer 400 years to crack either of those passwords. But this is a false sense of security. We see these passwords all the time. And there are easily accessible tools available to crack passwords. Most of these tools rely on files that contain millions of common and/or actual passwords that have been involved in breaches. And chances are, yours is in it.
Are you using the same username and password across all your accounts because you feel the password you have chosen is so secure? What if one of the applications you visit allows unlimited login requests? This isn’t uncommon and could allow a hacker to brute force your password. Maybe the account you registered on fakexyz.biz.com from a few years ago, because you wanted to read an article, was compromised. Now, all the companies’ user emails and passwords have been leaked. Congratulations, your current password is now included in some password cracking files, and all of your accounts are at risk. You can go to Have I Been Pwned, enter your email address and it can tell you if it’s on a list of breached emails. It can also tell you how many times it has seen your password come up. You may be surprised at what you find.
So, what do we do now? What can we consider a good password? The answer is, it depends. The responsibility of a business required to protect data is going to be a little different than the needs of an average user shopping online and visiting social media sites. Both are certainly important and should be handled carefully.
Let’s address business security first. A good starting point is to familiarize yourself with the NIST Special Publication 800-63 Digital Identity Guidelines Document Suite. It was published in 2004 but underwent its latest revision in March 2020. Pay special attention to Publication 800-63B. These are also known as the NIST Password Guidelines. It is only required to follow if you are a federal agency that is implementing digital identity services, but it creates a standard that has been well researched, evaluated and credible. Secure Ideas’ consultant Nathan Sweaney wrote a detailed analysis of this latest revision back in 2018: These Aren’t The Password Guidelines You’re Looking For.
Maybe you’ve weighed the risk and decided a complex, 8 character password is better for your users, but you are also going to use Multi-factor authentication to verify. There are many authentication apps out there that are user friendly and easy to set up. This could meet everyone’s needs and be much more secure than your current requirements, even if it seemed tight at the time it was implemented.
When it comes to personal security, making sure all your passwords are unique and secure can be tricky. As a heavy user of the internet and lover of all things automated, I have no less than 60 different passwords, and they are mostly passphrases. Passphrases are helpful in that they may be easier to remember, longer and more difficult to crack, but not every application allows a space as a character. And remembering 60 different ones sounds exhausting. I know I am not alone or even unique in my password predicament. If you are not using a password manager to remedy this, it’s time to change that. I love Last Pass and highly recommend it. There is some initial set up but it will make your online life much easier, and more secure. From passwords to addresses to SSH keys, Last Pass can hold a lot of info. And the Chrome browser extension is pretty handy.
In 2004, Microsoft Chairman Bill Gates predicted the demise of the traditional password because it cannot “meet the challenge” of keeping critical information secure. While I agree, it’s been almost 20 years and we are still dealing with it. So until you can swallow a pill that mixes with stomach acid to emit a unique, low power signal to connect you to your bank account, keep churning out those passwords. And please, make them as unique as the snowflakes falling upon the London streets.