First the TL;DR summary. For important access, keep your passwords complex; for trivial access, not so much. Also, many of the 'rules' around passwords don't always make sense.
A few weeks ago, I wrote about IT journalism's fixation with the latest and greatest hacks, intrusions and other bad behaviour, generally to the detriment of simpler aspects of security. In that article, I suggested that there would a series of follow-up pieces that would offer useful advice to smaller users. This is the first.
As much as they are maligned; as much as the "death of the password" has long been predicted, passwords are still with us and probably will be for some time to come.
Let me start by saying that a lot of what you hear about passwords is quite correct. But conversely a lot of well-meaning advice is wrong.
Let's offer some thoughts on what is correct.
Yes, passwords should be complex.
There are a couple of reasons for this. Firstly, there are plenty of programs out there that are excellent are cracking passwords, with JohnTheRipper being an obvious example. JohnTheRipper is very quick to attempt multiple passwords against a password hash. JohnTheRipper (and pretty much all the others) will try every dictionary word, every line of most popular songs, they will insert numbers and they also understand "leet-speak" (the habit of substituting numbers for similar-looking letters - 'E' for '3' etc.). Further, they will make use of databases of previously hacked passwords.
Secondly, beyond these "cracking" programs, we also have "rainbow tables" which comprise a database of matching hashes and plain-text passwords. If the hash exists in the table, so does the password. Fortunately (for us average punters) any useful rainbow table is huge, occupying many terabytes, making them relatively unwieldy for all but the most determined "n'er do well". Mostly, rainbow tables are created by generating passwords and hashing them; storing both.
So, you should make your password too complex to either appear in a rainbow table, or to be discovered by a cracking program.
Broadly, the rules we typically see that specify minimum length (to annoy the rainbow tables) and a variety of complexity (to annoy the cracking programs) are sensible. So, any password of at least 10 characters, that includes a mix of upper and lower case, a few digits and some other characters is currently about the minimum you should have when you care about the access being managed.
But please, don't confine yourself to capitalising the first letter of a word or substituting a couple of 'leet' characters. Be a little more creative!
• password (pointless)
• Password1 (very slightly less pointless)
• MyPa55sword (marginally better, but still trivial to crack)
• aNAp91ef0RmytE#ch3R (pretty good – if you couldn't read it, it's a "AnAppleForMyTeacher" with all manner of variation). However, good luck remembering how to type it!
As an alternate, you might consider taking a line from a favourite song and "modifying" it. Perhaps something like "And!findItk1NDafuNnyiFinDitKindaSad" – significantly easier to type that the 'teacher,' perhaps a little longer and definitely tougher for the nasty dudes.
In parallel with passwords, we also have biometrics (fingerprint, face, voice, iris etc.), but most such systems are required to release a text password to the system that validates the access, so not a lot of improvement, really.
The last advice I will give here is that you should use none of my suggestions here. They are guidance and examples only. Rest assured that the "bad dudes" will add them to all the quick-access intrusion tools available. They are also entirely unrelated to any password I have ever used!
So, with all that in mind, what advice have people received that is entirely pointless?
My first irritation is the insistence that passwords be changed regularly. Why? If the password is so good that it conforms to all the rules, and there's no evidence that it has been compromised, why change it? Why create the possibility (probability!) that the user will forget it? That rule makes no sense at all.
Next, we have the insistence that you should use a different password for every location that requires one. This rule belongs in the final circle of hell!
There are two likely outcomes from this: firstly that people will probably create some kind of pattern that links a password stub with the name of the web site. If one of the passwords is hacked, then the method is revealed and access to every other site is simple (for the intruder). The other is that people will create great passwords every time, and then forget them. I'd love to see password reset statistics for a range of major websites.
In parallel to this are the websites that insist on the most amazingly convoluted password rules merely to access a document that ought to be freely available. I've regularly seen this with the "big four" consultancy firms. They are adding to the problem, not helping!
So, you might ask, "after all this negativity, what is a good password? Are there good rules for creating and using them?"
First, some "motherhood" statements:
- Passwords are a useful form of identification, but not the best.
- The strong password you remember is better than the very strong password that you forget.
- Longer (and more complex) passwords are better than shorter and simpler ones. Twelve characters is a useful minimum, although that will increase as cracking hardware improves.
- The places that demand a password for no good reason are deserving of a weak one.
My first recommendation is to select a simple, easy to remember password that can be used in places where neither you nor the website care about any level of security. Ensure this password is only used in places where no personal information is stored (beyond your email address and name).
For somewhat more secure uses, create a password root structure that can be modified and extended for each location it is used. As an example, Your password root might be "B@ck!n8lack" (that's related to "Back in Black" for AC/DC aficionados) to which you might insert a number that represents the third letter of the domain name (e.g. iTWire.com would be 23 for the 'w') along with a letter three places further along the alphabet from the last letter of the domain name. Thus the final password might be B@ck23h!n8lack. Of course now published, this scheme should never be seen again! Use your own.
For highly secure access, your online banking for instance, you will need to create similarly "difficult" and lengthy passwords, but each must have unique construction rules – no extension rules as described in the previous paragraph.
In my next article, we will look at password managers and alternate authentication technologies.