Sunday, 7 May 2017

Another Post About Top Password Mistakes

There are a lot of blog posts around about the top mistakes that people make while setting passwords and just to add myself to the mix I will make one more.  There are a lot of misconceptions around about what makes a good password and what does not, but here are some common mistakes including some that other "top 5 password mistakes" advise you to make! I'll explain my reasoning for each one.

1. Passwords Too Short

This has to be the most common one, and having been working with computers for some time I remember the days when a 4 or 6 character password was considered OK.  It's not.

Brute force attacks on passwords have become faster and faster, and now a 6 character password can be broken by an average computer in a fairly short period of time. In fact, assuming that a hacker has obtained the hashed or encrypted set of passwords from your database, many serious hackers have access to "botnets" of computers which they can harness to brute force crack these databases.  If the password database is at all vulnerable (and if you're logging on to someone else's website then you don't know how vulnerable it is) then a 12 character password should be considered a minimum, and I recommend 20 characters.

2. Assuming That Complex Passwords Are Safer

It's a common mistake amongst IT departments to make people use "complex" passwords. By "complex" it's meant that passwords should include upper and lower case characters, numbers, punctuation marks and special characters, etc.  Against a brute force attack a complex password is no harder than a simple password.  The main issue that prevents brute force attacks is password length, not complexity.

In fact, as demonstrated several times for example in this XKCD comic, complex passwords have no more entropy than simple passwords and in fact having a complex password just encourages users to write the password down somewhere, totally destroying any additional safety in having a password that is complex.

Updated NIST password guidelines totally destroy the myth that complex passwords are safer.  They are not.

Articles that recommend using complex passwords for extra safety can safely be ignored.  Advising someone to avoid password mistakes by making them make another mistake is no advice worth following at all.

3. Not Using a Password Safe

Many people use the same password for every website, because they only want to remember one password.  The problem is that once someone has one of your passwords they have them all.  To avoid this problem you need to have a list of long passwords, which are unique for each website or software program that you use.

A password safe is the best way of maintaining a list of long passwords.  I wrote a detailed article on that some time ago, but the rules are simple:
  • Download a copy of KeepassX in which to store your passwords.
  • Use one long password, generated by a site like Correct Horse Battery Staple to be your password safe key.  This is the one and only password that you have to remember.
  • Use KeepassX to generate long, unique, random passwords for all of your websites.  Since you never have to remember any of these because you just cut and paste them from KeepassX, they can be as long as you like -- 20 characters of random junk is fine.
  • Save your KeepassX file somewhere secure and give the password for that file to your lawyer to be used only in case of your death.
4. Writing Down Passwords

Up to 64% of people in a 2003 survey report having written down their passwords, and a more recent report indicates that in an average USA office up to 40% of passwords can be found on a yellow sticky note hidden under the keyboard or somewhere similar.

Seriously, don't do this.

5. Belief In Regular Password Changes

Another commonly held belief is that forcing users to change their passwords once per month makes the passwords more secure.  It does not, it just encourages users to write down passwords more often.

Again the recent NIST password guidelines blow this mistake out of the water.  The only reason to force users to change their passwords is if you believe the password database has become compromised somehow or for some other reason involving increased security (such as upgrading the hash algorithm in use, or forcing longer passwords to be used, etc). Forcing regular password changes on people just encourages them to follow less secure password practices.