- by Jennifer Lyn Walker
I have pontificated on passwords plenty. So, it should not be perplexing that on World Password Day I might purposefully ponder the persistent problem. Oh, but wait…there’s more! It’s also Star Wars Day! While I fancy myself more of a Star Trek enthusiast, I thought I’d try a little play on the pair (of themes). I promote what Paul Ducklin posted, “World Password Day is always hard to write tips for, because the primary advice you’ll hear has been the same for many years.” But let’s proceed, shall we?
If you recall, nearly 20 years ago Bill Gates prematurely postulated that passwords were dead. While we do have some passwordless proponents (e.g., Google, Dashlane), here we are in 2023 and passwords are still pertinent today and for the projected future. I’ve stated this before, Bill is probably perturbed that his prediction was poor, but regardless of your preferred posterity, until passwords perish, we still need to encourage and enable users to break the propensity toward paltry password preferences.
When it comes to password hygiene, a Jedi master, Jedi, or perhaps a password Padawan, are you (or your staff)?
Jedi master
- Uses a password manager to securely create and store longer stronger (less crackable passwords).
- Establishes unique credentials across all sites, services, and applications – never reusing between work and personal.
- Employs phishing-resistant MFA or passwordless methods.
- Changes passwords when advised of a data breach.
Jedi
- Might not use a password manger.
- Maintains separate credentials for work and personal.
- Creates longer passwords/passphrases, but may still use predictable substitutions (e.g., ‘a’ = ‘@’).
- Employs MFA in some form (even a text-based SMS code is better than no MFA at all).
Padawan
- Doesn’t use a password manager.
- Doesn’t employ MFA, unless forced to do so.
- Writes passwords on “Post-It” notes in plain sight.
- Uses common dictionary words and obvious increments if forced to change it.
Possible Path Away from Password Pitfalls
As long as passwords are still ubiquitously used to protect our information from unauthorized access, it’s our responsibility to encourage users (and practice what we preach) to stop creating poor passwords with easily guessable and predictable, thus easily crackable, patterns – even hashed/encoded passwords are easily cracked when they are predictable. People are creatures of habit and predictable – these facets of our personalities are frequently taken advantage of by cyber threat actors looking to crack passwords from the latest data breach repositories. For instance, even though phishing for credentials is a top cyber attack vector, many threat actors don’t need to rely on phishing because password guessing is so easy.
We may never prevail over the password problem before it passes away, but until then there are procedures we can promote toward a positive password posture.
Password managers you must have. To take the guesswork out of password creation, encourage users to use a password manager. There is no doubt that without a password manager, complex passwords are difficult to remember and lead us to the perpetual password pitfalls. As it is believed that the only secure password is one you can’t remember, password managers are a great solution to help reduce some of the most common password fails – simple password creation, password reuse, password predictability, and passwords on "Post-It" notes.
You must unlearn what you have learned. For users who still don’t want to use a password manager, consider a training session on password creation – specifically, how to create less crackable passwords, the importance of changing passwords after being advised of a data breach, and the dangers of password reuse. Hive Systems has some great resources to help, including a fascinating table, The Time it Takes a Hacker to Brute Force Your Password in 2023.
Ideally, passwords that consist of a minimum of 15 to 20 randomly generated letters are fairly secure. Just don’t base your password on anything that’s easy for someone to learn about you – such as through social media - regardless of how long it is.
According to Hive Systems, it can take as little as 4 seconds to crack a randomly generated 7-character password (like a password manager would create) that contains upper and lowercase letters, numbers, and symbols. Add one more character and it still takes only 5 minutes to crack an 8-character password. When you increase that to 12 characters, the time to crack increases to 226 years; 13 characters, 15k years. Even if you omit the symbols, a 13-character password with only upper and lowercase letters and numbers still takes 332 years to crack. Isn’t your data worth the extra 6 characters for a password that couldn’t be cracked within your great-great grandchildren’s lifetime?
Hive Systems does indicate that these statistics assume an attacker is cracking your password from scratch. However, if your password has been previously stolen, uses simple (dictionary) words, or is reused across multiple sites and services, all bets are off. In this day and age, an attacker with a cache of stolen credentials has the ability/resources to crack your password in an instant – regardless of length or complexity.
Security questions and answers matter not. Remind users how malicious actors use those annoying security questions and answers to reset passwords they can’t crack. Some users may still be surprised that actors search public information and count on us using honest answers. To avoid the risk of an account takeover, encourage users to set security answers to something nonsensical – and securely store the questions and fake answers in the password manager!
May all we strive to password Jedi masters be.