They frustrate users and professionals alike... passwords are, quite simply, a pain in the @rse. There, its been said but it isn't said enough and its time we stop and look at the stress we are causing for users... We'll discuss the benefits of Single Sign On in another article but for now, let us take a look at the basics of passwords.
TL:DR - Discussion on advice for passwords, our guidance provided at the end.
For years I've been watching the advice given by others on what makes a good password for users. Often when faced with policies that require a complex password, users are told to use mixed upper and lower case with some numbers and symbols thrown in. Then I've worked with security firms that, when giving access to their systems, provided me with passwords that looked secure but were missing two important points:
It was so complex there was no way to remember it, so it was written down or copied into a text file
Just because something looks complex, doesn't mean it is complex. Machine generated = difficult to remember, easier for machines to guess.
Whether you choose to follow the guidance below is entirely your call, every company is different and cultures with staff vary BUT remember one thing, people are people and the general issues they pose are common no matter what.
At a recent engagement we brought in a consultancy to provide briefings to our staff, I'd started after the briefings had been arranged but regardless of that, the chap delivered some excellent content but some of the advice was flawed and contradicted the guidance we had been giving out.
Lets look at what was said and compare to what we actually should be saying.
Passwords should not be a dictionary word or name - OK, happy with that as we know, with time, it is very easy to brute force a dictionary password.
Passwords should use mixed case - Again happy with this but I'm not certain the value in reality is as beneficial as it sounds. You see, most people will save time and put the uppercase character at the very start.
Passwords should use special characters - more standard advice, great stuff. But users will typically go with something that fits in to one or two standard patterns.
They will make the mixed character the first on the numeric list and then increment from there - e.g. Password!, Password" etc
They will make a common character substation so a = @ or s = 5 or $, e.g. P@ssword
Passwords should be as long as possible - the longer the better, right?
Passwords should be changed frequently, around 45 days - OK just got used to my password and now it has to be changed.
Everything was standard fare, the often trotted out guidance to users that misses several things we need to remember and want to avoid:
Users have many passwords, the more passwords they have the more likely they are to write them down or rely on local password managers
Relying on local key managers, such as the browser or additional software means that passwords are now a potential target and accessible. Stored browser passwords can be revealed in seconds on the screen (if you don't lock down your browsers) and 3rd party key managers are prone to vulnerabilities
We ideally want users to use various strong passwords without the need to keep them anywhere other than in their head.
Lets get back to the advice given above, if we add all that together we've just told the end user their password must resemble something like Q@zswsxwdcrfvtgb!
Fab! We've got a nice long password, looks complex and has hit all the rules, or has it? Take a further look, could a user really remember that or would they have to write it down? Knowing that users have many passwords to remember, it would be likely written down somewhere and incremented to Q@zwsxwdcrfvtgb" after 45 days.
At least it is complex, or so it seems. Is there an easy to follow pattern? Once you see the pattern, you'll start to see what users are doing to make those "complex" passwords and you can bet the tools that are out there will aware of such patterns.
Qwertyuiop! Theres another.
OK I give up! What advice can we give to users?
All passwords are, at some level or point in time, going to be crackable. The aim, however, is to make life as easy for yourself, your users or your customers but as difficult as possible for the bad guys.
Passphrases - These actually work, they work really well and produce extremely difficult passwords to guess or crack but are easy to remember. Take a line or verse from a favourite song, pick the first letter from each word, randomise the capital letters - TIghmargtIfaatwitioy! Ok that was probably a little OTT but if you are a fan of Queen, its an easy password to remember and you'll end up humming the song in your head all day = happy times.
Dictionary combinations - Another favourite of mine, combining 3 or more random dictionary words together to make something easy to remember and extremely difficult to crack or guess. But didn't we advise earlier on not using dictionary words? Well, yes, but the difference here is that multiple dictionary words are no longer a dictionary word if that makes sense. Take Solid, Colour, Spain, Volkswagen and combine them together "SolidColourSpainVolkswagen". No longer a dictionary word but three words that are easy to remember and quick to type.
Password length - if you introduce the above as a method for your users, they shouldn't even notice if you make them at least 12 characters long. Why not use this as a way to force the adoption of the above?
Both passphrases and word combinations enable you to require longer passwords but making them easy to remember. I'd rather see people use iterations of a few very good passwords than have many passwords that are stored somewhere or just the same password reused. Throw in a requirement for at least one special character and even if it appears at the end it will act as a sort of salt.
The advice on dictionary words is good enough for our friends at CESG too, they also understand that forcing the traditional complex passwords just isn't workable, you can see their guidance here:https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf
Get in touch via the main site if you would like to discuss staff training and briefings, or, If you would like to know more about what you should be doing to protect your user credentials . Our policies cover from password rules through to how applications should store credentials in a safe way to protect hashes and to ensure no password is revealed even if they are leaked.