The humble password has been the subject of critical debates, at the centre of the internet and the cause of many data breaches for consumers and businesses alike.
But what is the best password combination and is it a good idea for organisations to require regular password changes? We spoke to ESET senior research fellow Nick FitzGerald to get insights about how to use the ubiquitous and persistent form of authentication.
Whether for personal or business use, people have gone through the process of choosing a password hundreds if not thousands of times as their activities in the digital realm command.
Be it a combination of numbers, letters, capitals and punctuation – what is the strongest form of password? FitzGerald says it’s all about mathematics.
“Given the rapid increase in computing power, the relevant maths tells us, applying Moore’s Law, long passwords are best. The usual reaction to this is something like ‘longer passwords are much harder to remember, so recommending them is not good advice’. This criticism commonly arises from horrible user experiences with having to remember too many passwords, or randomly-generated passwords like Vgp7^4B>, :F6[fsE\, 3_<R_Kg?, etc.”
He says that the key is to use long, memorable phrases – but not something from music or popular culture. This is because password cracker dictionaries will start to include these as new entries, especially if longer passwords are widely adopted.
“So how long is ‘really long’? I recommend a minimum of twelve characters with mixed-cases and numbers or symbols. Even longer is better, and once you get to about sixteen characters you can probably drop all the other requirements and just use single-case letters. The password on the private key of my personal PGP key-pair is well over this and I’ve felt no need to change it since I created the keys twenty-odd years back. My Wi-Fi password is a nine-word phrase that is over forty characters long.”
He also adds that there are different ways a password can be used for personal and corporate use. For personal use, a 20-character password or shorter password with a strong secondary authenticator - and a password manager - may be enough.
The common eight-character guideline was often the upper limit on password lengths in early operating systems but as cracking tools got stronger, symbols, mixed-case and numeric substitutions were suggested to build more password complexity.
“For corporate use, it may be that different levels of risk mean different policies across the enterprise. That said though, the traditional ‘a minimum of eight characters, at least one upper- and one lower-case letter and one symbol or number’ approach is based on a series of really bad practices that have, sadly, become ingrained in how we do things, often with no good reason,” FitzGerald explains.
In corporate environments, FitzGerald says those are all common criteria.
“The result is that setting and remembering passwords has become a nasty friction point. However, we want people to take user authentication seriously, as all manner of critical business functions depend on the right people, and only the right people, having access to particular data and digital resources.”
He cites the US National Institute of Standards and Technology’s (NIST) Digital Identity Guidelines, which divides authentication into three groups: For example, something you know (a password), something you have (a smartcard) and something you are (a fingerprint).
As multifactor authentication starts to require authenticators from two of the above groups, and as the US Government starts to implement the updated guidelines, FitzGerald predicts that default authentication requirements for desktops and laptop operating systems will change too.
Organisations need to be careful about being too heavy in demanding that employees change their passwords every 30, 60 or 90 days. FitzGerald says that the updated NIST guidelines show that regular password changes promote risky behaviour.
This risky behaviour includes, according to FitzGerald, “Putting a numeral at the end of their password (usually starting with ‘1’) and simply incrementing it at each change, either by replacing it with the next number in the sequence (‘1’, ‘2’, ‘3’, et seq.) or by adding another numeral. Password crackers are presumably aware of this common tactic.”
The NIST guidelines also add a requirement that the password is not an evolving ‘blocklist’ of the most common passwords found in compromises and common sources.
Despite the risky behaviour, why do organisations demand such frequent password changes?
“Regularly changing passwords was also assumed to keep you ahead of the password crackers, although the rise of GPUs and rainbow tables negated that for weak passwords regardless of how often you were changing them. And why are you not allowed to re-use previous passwords? With all the preceding requirements, many users found recalling passwords difficult. Add being dissuaded from writing them down, and many people settled on swapping back-and-forward between two passwords they could remember,” FitzGerald explains.
At the root of all these issues is the human factor, in which user education plays an important role.
“If we stop forcing our employees to change passwords every 60-90 days, and remove from the passwords they do have to remember the arbitrary requirements that research has found are mostly useless, we just might see an overall improvement in user attitudes to the authentication part of the security jungle,” he says.
Even with newer technologies such as voice, gait and expression recognition in development, FitzGerald says the password still has its place.
“The ‘something you know/have/are’ triumvirate is likely to be with us for quite some time, and the password or PIN is probably the lightest-weight to implement and scale, so simple economics suggests we’ll not see passwords disappearing any time soon.”
As for gait and expression recognition, it’s a question of whether they will be resilient and reliable while remaining practical.
“Gait recognition might never be practical for unlocking your laptop, but might be reliable and practical enough to automatically unlock your phone as you pull it out of a pocket.”
It looks like the humble password may be with us for a long time yet.