World Password Day is apparently a day for “taking our passwords to the next level”, so here are five traditions the crooks and password crackers really, really don’t want us to start.
1. Don’t reuse passwords
In 2007, Dinei Florencio and Cormac Herley at Microsoft Research looked into the password habits of half a million users in their large-scale study of website password habits. They found that the average user needed about 25 distinct passwords but only had about six.
The average user has 6.5 passwords, each of which is shared across 3.9 different sites. Each user has about 25 accounts that require passwords That’s a problem because it rewards anyone who steals one of your passwords with the key to a number of other sites as well, making the damage far worse.
In his article “Is it *really* such a bad idea to use a password twice,” Paul Ducklin tells the story of how in early in September 2014, crooks uploaded nearly 5 million Gmail account names and passwords to a Russian Bitcoin forum. Website hosting giant WordPress searched its own user database for the stolen credentials and found 700,000 matching email addresses and 100,000 matching email and password combinations.
In other words, for each email account the crooks compromised they also had a 1 in 14 chance of successfully compromising a WordPress account too, something well worth the effort of just rattling the keys in the lock.
If your password is stolen in a data breach then you should expect that the crooks will try it out on Facebook, Twitter, WordPress and any other websites they think you might be using too.
2. Don’t use weak passwords
In his recent research paper, Eugene Panferov goes in search of a canonical password strength measure and argues in the end that there isn’t one: "There is no such thing as 'the best practice of password choosing,' there are bad practices, bad choices, and the only thing we can do is to avoid them."
It’s an interesting way to think about how we choose our passwords. I’ve noticed that guidelines for creating strong passwords, such as “use a long, random collection of numbers, upper- and lower-case letters and wacky characters,” are often turned into arbitrary rules that make passwords easier to guess, like “your password MUST be between eight and twelve characters long and contain at least one uppercase character and one number!"
So instead of thinking about what makes a password strong, think about avoiding these common pitfalls: don’t pick one of the 10,000 most common passwords; don’t use personal information, an animal, sports team, business name, nickname, quotation, family member, phrase, collections of related words or pet names; avoid dictionary words; and don’t expect to fool anyone by using common missspelllings, $ubst1tuti0ns or by adding numbers53 on the end.
3. Don’t share your passwords
Are you good at keeping secrets? Good, because that’s what a password is – a secret. And if you share a password, it’s not a declaration of true love and it’s not a secret any more either.
The trouble is that many of us just don’t think of passwords like that. A recent survey by the purveyors of password management software, LastPass, found that 95 per cent of us share up to six of our passwords with each other. And it’s not just a bad habit of end users, it’s a bad habit practised by IT professionals who should know better too, as the RSA 2016 conference survey revealed: "…one in three IT security professionals polled at RSA Conference 2016 admit that their IT staff share passwords. It’s a common IT administration practice."
If you share a password, you lose control of it because you don’t know who else the person you shared your password with shared it with, who they emailed it to or where they wrote it down.
4. Don’t trust password strength meters
Password strength meters have become a common adornment for websites and apps that require you to choose a password. Unfortunately, many of them flatter to deceive with vague wording, fancy graphics and arbitrary rules that look important but might actually make your password weaker.
About a year ago I put a selection of really, really bad passwords through five of the most popular password strength meters. They all failed and not only that, they didn’t agree.
Others have been shown to send passwords unencrypted across the internet, store them in unknown Google spreadsheets and accidentally leak them to 3rd party marketing companies (that was the CNBC password testing tool in case you’re wondering).
There are some excellent password strength meters out there, such as the rigorously tested zxcvbn that’s used by Dropbox and WordPress, so some passwords strength meters are trustworthy. Unfortunately, you can’t tell them from the ones that aren’t.
5. Don’t change passwords to a pattern or schedule
The sage advice used to be to update your passwords every thirty days or every few months to limit the damage that a compromised password can do.
It’s advice that’s been taken up by IT departments and individuals alike but it’s advice that’s aged badly as the number of passwords we have to keep has grown. In the modern world it translates to “you must create and remember about 25 completely new and unrelated random passwords every month”.
Advice that’s good in theory pushes us into taking shortcuts that make cracking our passwords easier; if we’re forced to change our passwords all the time we end up picking shorter passwords, simpler passwords, more memorable passwords, we change them according to guessable patterns and algorithms, and we reuse them.
Researchers at University of North Carolina who looked at the practice in detail concluded: "…we confirm previous conjectures that the effectiveness of expiration in meeting its intended goal is weak."
Organisations from the FTC to GCHQ are now advising against arbitrary password expiration because, as password guru Per Thorsheim put it in his recent call to arms on the subject: "…there is tons more of opinions, (academic) research, penetration test results etc that shows the exact same thing: mandatory password changes should die ASAP."
If you can create and remember a full set of new, strong passwords every month that’s great, but don’t force anyone else to do it because the chances are they can’t.
Mark Stockley, Sophos
Photo credit: bannosuke / Shutterstock