Passwords, why so complicated?
“Be sure to use a strong password” is advice we all regularly hear.
The sheer number of credentials and passwords that we have to manage can be overwhelming and inconvenient, especially if we forget them. While managing passwords may be a pain, it is necessary to protect our personal information. After all, cybersecurity is everyone's responsibility.
With nearly everything going digital, managing our passwords is critical — especially since credential theft remains a primary target for cybercriminals.
So what makes a strong password?
The first time you asked that question, you probably heard an answer like this: 8 characters long, both upper-case and lower-case letters, and at least one number and symbol.
This has been the undisputed standard since 2003 when Bill Burr provided the NIST standard. Bill admittedly had no idea what he was doing, though. He certainly meant well, but the problem back then was that he had no actual data on which to base his standard.
So is this a history lesson? What’s the point?
Here's the problem. A password like Gc5!b2#a is hard to remember and even harder to type. When you make something complicated for people, we find shortcuts. So, we started creating passwords like Yanks2019 or Bucs2020. But, these can be cracked in no time today with a modest laptop and some free downloadable tools.
Adding insult to injury, we are also told to change our passwords every 90 days. So just as you had gotten comfortable with actually typing your new password after numerous calls to the help desk to unlock your account, it was time to change it again. What did we do? Some started adding incremental digits at the end. I admit I did it for years. Others produced patterns like Winter2021, Spring2021, Summer2021, and Fall2021. The beauty here is that you always know your password based on what time of year it is.
Unfortunately, the bad guys do too.
Even worse, another drawback of having complex passwords is that people reuse them. It has been said that the average internet user has upwards of 100 different online accounts. I don't know about you, but I could never remember 100 different passwords, especially if I have to change them all four times a year. What I did years ago was to come up with a couple of strong 'root' passwords and then use a 2-character designator at the end to identify the site or service to make each one unique. That worked pretty well, but I'll admit that passwords did get reused here and there, and once one of them was breached, I had to change all of the others.
So what ACTUALLY does make a good and strong password?
There really is no great password, but if you must use a password, and only a password, then there are two main things to consider:
Length. Make your passwords as long as possible. CorrectHorseBatteryStaple (courtesy of XKCD.com) is a much better password than Tr0ub4dor&3.
Uniqueness. Unfortunately, we still shouldn’t reuse passwords. If you’ve been following the news, the recent outage of the Colonial Pipeline in the U.S. was caused by a ransomware attack that entered the company using a reused password to access a VPN account. Try a password manager like 1Password or LastPass, so you don’t have to remember all 100 of them.
The XKCD graphic below illustrates the benefit of using a passphrase over a traditional password.
What about complexity?
We surely can't throw out the numbers and symbols!
Sure we can...mostly. We still see complexity requirements, and I think they're here to stay for the near future. We all have audit requirements and security administrators who are set in their ways, but someday those annoying numbers and symbols should be gone forever.
What about the 90-day reset?
Well, the three-month reset was instituted just in case a password was breached. By resetting it periodically, the bad guys would only have access to it for a maximum of 90 days. With today’s tools and skills, if a hacker got their hands on your password, they wouldn’t need much more than 90 minutes to get what they came for. Because of this, we now recommend you change your passwords when there is confirmation of them being breached. Try HaveIBeenPwned.com to see if your passwords have been breached.
Tips for Better Passwords
In short, on behalf of Information Security Departments everywhere, I apologize for making you remember terrible passwords. From here on out, remember these simple tips for better passwords:
Longer is better
Unique is paramount
Reset if you’ve been breached
Who is Greg Gammino? Our resident security expert, Greg Gammino, is ELM's Director of Information Security & Data Protection Officer. Greg has more than 20 years of IT Engineering and Information Security experience. Prior to joining ELM, Greg led security operations across several industries including Healthcare, Fulfillment, and Logistics, IT Consulting, and Higher Education.