It's World Password Day! And you know what that means: all the effort you've put into trying to persuade people to rethink how they do passwords turns to mush because some company sees a PR opportunity and floods social media with terrible advice.
This year's award for Terrible Password Advice goes to the wireless industry's lobbying organization, the CTIA. It has even set up a dedicated webpage that it joyfully tweeted out to people this morning.
"It's World #PasswordDay! A reminder to change your pins/passwords frequently," it advised anyone following the hashtag "PasswordDay". But this, as lots of people quickly pointed out, is terrible advice.
But hang on a second: isn't that the correct advice? Weren't all sysadmins basically forced to change their systems to make people reset passwords every few months because it was better for security?
Yes, but that was way back in 2014. Starting late 2015, there was a big push from government departments across the world – ranging from UK spy agency GCHQ to US standard-setting National Institute of Standards and Technology (NIST) and consumer agency the Federal Trade Commission (FTC) – to not do that.
That said, the past few years has been virtually defined by the loss of billions of usernames and passwords from corporations, ranging from your email provider, to your credit agency, home improvement store, retail store and, yes, even government departments.
In that case, does it not in fact make sense to get people to periodically change their passwords? Well, yes. And no.
Yes, because the information would age and so become irrelevant faster. No, because constant resets eat up resources, tend to nudge people toward using simpler passwords, and don't really make it harder for some miscreant using a brute force attack to guess the password.
Critical infrastructure needs more 21qs6Q#S$, less P@ssw0rd, UK.gov security committee toldREAD MORE
But we wouldn't be at all surprised to find that in 2019, following a shift in hacking patterns, everyone advises regular password changes, and the 2021 World Password Day sees some organization lambasted for offering 2018's advice.
There is no shortage of organizations and individuals that are willing to tell you what to do about passwords: NCSC, CESG, NIST, FTC, Google, Microsoft, Mozilla, Edward Snowden, to name just a few.
All of which suggests to us that is may be time to go meta and look at the different aspects of passwords and often conflicting advice that comes with each. And then to provide you, dear readers, with the best possible password advice – which we can all mock in two years' time.
Strap in, here we go.
Random or pronounceable?
Everyone agrees that using the word "password" for a password is pretty much the dumbest thing you can do. But so many people still do it that designers have been forced to hardcode a ban on the word into most password systems.
But from there – where do you go? How much better is "password1"? Is it sufficiently better? What about switching letters to other things, like "p@ssw0rd"? Yes, objectively, that is better. But the point is that there are much better ways. And that comes down to basically two choices: random or pronounceable.
The best random password is one that really is random i.e. not a weird spelling that you quickly forget but a combination of letters, numbers and symbols like "4&bqJv8dZrXgp" that you would simply never be able to remember.
But here's the thing – the reason that particular password is better is largely because in order to use and generate such passwords, you would likely use a password manager. And password managers are great things that we'll deal with later.
But here’s the thing: if someone is trying to crack your password randomly they are likely to be using automated software that simply fires thousands of possible passwords at a system until it hits the right one.
In that scenario, it is not the gibberish that is important but the length of the password that matters. Computers don't care if a password is made up of English words - or words of any language. But the longer it is, the more guesses will be needed to get it right.
As our dear truthsayer XKCD points out: "Through 20 years of effort we've successfully trained everyone to use passwords that are hard for humans to remember, but easy for computers to guess."
Of course, a big part of that assumption is that there will be lots of people that will introduce numbers and symbols and uppercase letters into their password. Without them, password-cracking software would limit itself to lowercase letters and so find the correct login much faster.
Because length can be a critical factor, and because typing random letters and numbers is much more taxing for people, there are lots of people and organizations that argue that people should come up with passwords that comprise several random words that you can actually remember. XKCD used "correct horse battery staple" as an example.
There is merit to this argument and Google has been pushing the approach for a number of years. So which is better?
The answer is: both and neither. The pronounceable words approach is better if you want to remember the password and type it in. But it would be undermined if huge numbers of people weren't also using numbers and symbols in their passwords.
Plus of course there is the reality that many organizations institute strict password policies when you sign up with them that often require you to have an uppercase letter, a number and/or a symbol. In these cases, your pronounceable-words password won’t actually work.
The random password can be much more effective overall because it typically forces users to approach passwords differently – often using a different password for each different user. Now that is better security because it stops other accounts that use the same password from being compromised. And, if you are already using random passwords that you can't possibly remember, then why not use longer versions? What do you care?
Conclusion: use pronounceable if you want to remember the password; random otherwise. But make sure it's not too short (less than, say, 10 digits).
That leads to:
Password manager or brain?
There are really, really good reasons to use a password manager. For one, if you can make it a habit to use one for every login you have, you are immediately increasingly your overall security because every login will be different.
Plus, since you are using software to save and paste in passwords, why not up that password length? This combination is a really good way to be secure online and is the best kind of security you can have within the context of the inherently insecure system of a single username/password to gain access to confidential information.
But there are downsides, and using your good old-fashioned brain has some distinct advantages.
The biggest of course is that it is in your brain and not stored on a hackable database somewhere. As great as password managers are, they are still software and so are susceptible to security holes.
Of course these companies go to extra lengths to protect security. But commercial imperatives drive less secure solutions. For example, one of the best password managers, 1Password, shifted its accounts to an "online vault" where all your passwords are stored and then accessed from your phone/computer etc rather than those passwords being stored on your device itself.
There are good reasons for this. For example, you no longer have to sync between devices to make sure everything is up-to-date. And, from the companies' perspective it makes it much, much easier for the company to charge a monthly fee rather receive a one-off purchase – good news for the bottom line.
Unfortunately, that approach also makes the company a target for every hacker in the world: if you can crack its system, you have access to everything. Plus, of course, there is the uncomfortable fact that governments the world over have ways of forcing companies to provide them access to confidential information, sometimes complete with gag orders.
And there is the issue of usability: opening an app or a piece of software every time you want to get into a website can be a pain.
On the flipside, you carry your brain around with you all the time and it is, largely, open and unlocked. Plus your brain doesn't come with an annual renewal fee. An unlocked, unhackable database? Amazing. Right there in your head.
Conclusion: use and get used to a password manager. Unless you are working on something extremely confidential. But if you are, then you shouldn't be accessing it solely through a username/password interface anyway.
Frequently change your password?
As discussed above, there are good reasons to do so and not to do so.
Frequent changes mean that the old password is useless. At least in theory. The reality, as multiple researchers have discovered, is that since we are humans and not computers this approach brings with it a whole range of other issues.
For one, if people have to keeping changing their passwords, they will tend to use shorter and less secure versions. They put less store in a password's inherent security because it's going to change again soon. That is obviously completely irrational but, let’s be honest, it also makes sense because most of us don't really believe we are going to be hacked.
Frequent changes also eat up an enormous amount of resources: systems have to be constantly updated and people have to be constantly urged to make changes. And, of course, they keep forgetting the "new" password, leading to more changes and more time with tech support.
It's a question of balance: do the benefits of periodically changing password outweigh the downsides? And in most cases, they will not.
In scenarios where people have good reason to suspect that will be actively targeted by hackers, it could make sense. But then people in those positions should already be acutely aware of the need for operational security, including using long, complex passwords that they periodically change. Having some guy from IT jump in every couple of months to tell them to do what they are already doing is just unnecessary and annoying.
So what we are really talking about is people who are hopeless at security but in important positions: so, basically, C-suite execs and politicians. The answer for them: get their staff to do it.
The most common forced-password changes will likely come from companies like Twitter (we kid you not - Twitter did exactly this after we wrote this line) that get hacked and then impose a password change on everyone. But at a corporate level, leave it alone as a policy.
Conclusion: don't force periodic password changes, despite its appeal.