3 Common Misconceptions About Password Security
By Alex Hamlin
Everyone knows that choosing a strong password is a critical step in securing the various systems and accounts we all use daily. However, you may be surprised to learn that some commonly held beliefs about passwords are more harmful than helpful. This article highlights three of these misconceptions to ensure that you and your business are armed with the right information to keep up with the latest password security best practices.
1. I Have One Very Secure Password. That’s All I Need!
One of the most common misconceptions about password security is that individuals need just one password for all of their websites and systems, but that couldn’t be further from the truth. Consider the following scenario:
Alice uses the same username and secure password to log into three websites:
- a.com
- b.com
- c.com
While a.com and b.com follow security best practices, c.com is not so diligent. Eve, a hacker, compromises c.com, including their database of usernames and unencrypted passwords. Despite Alice’s use of a strong password, Eve is now in possession of Alice’s login credentials, and is able to compromise her accounts on a.com and b.com because they use the same password.
This attack is known as a credential stuffing attack. It is one of the most common ways that account compromises happen. Had Alice used different, equally secure passwords for each a.com, b.com, and c.com, her accounts for a.com and b.com would still be protected, even after c.com was compromised.
However, using a unique, secure password for every account is easier said than done. The average user accesses dozens of websites per day. That’s a lot of passwords to try and memorize! Thankfully, there are tools called password managers that can help. Password managers are applications that automatically generate and store unique, secure passwords for each website a user visits. All of these passwords are locked behind a single master password, reducing the memorization burden for the user.
Password managers automatically fill in a unique password on each website a user visits, protecting against credential stuffing attacks and saving time spent typing long passwords into login screens. Not many security tools also boost productivity!
Password managers, however, can present a single point of failure, and users should perform due diligence to ensure the specific tool they choose has a stellar reputation and follows security best practices. Additionally, the chosen master password for the password manager must be very strong to keep attackers from accessing all of the passwords stored within the tool.
Keep reading to learn some of the common misconceptions around password security, and how to ensure your master password is secure.
2. Complex Characters Are The Most Important Part of a Secure Password
“Your password must contain lowercase letters, uppercase letters, numbers, special characters, a day of the week, the title of a novel, your favorite ice cream flavor…”
We’ve all seen password requirement prompts with a plethora of conditions that can be challenging to satisfy. These requirements have even been satirized as online puzzle games.
While these prompts may sometimes seem unnecessarily demanding in their requests for multiple character types, there's a good reason for it. Using a wider array of characters increases the range of possible passwords, making them harder for attackers to guess. That said, complex characters are not the most important part of a strong password.
When it comes to choosing a secure password, length is actually the most important component. Each additional character in a password exponentially increases its security. In fact, length is so important to a strong password that some experts have argued that we should stop using the word “password,” and instead call them “passphrases,” to encourage the use of more than one word. Passwords (or passphrases) made up of multiple, random words are easier to memorize, easier to type, and tend to be even more secure than shorter, more complex passwords.
Consider the chart below, published by Hive Systems, which shows the amount of time required for an attacker to brute force a password in 2023. In this chart, an easy-to-memorize password made up of a set of random words such as AspenDogTurqoise would take an attacker 713 years to brute force, whereas a hard-to-memorize password such as L6!h;’3[ could be brute-forced in only five minutes.
A great way to combine length and character complexity is to use a full sentence as a password, complete with capitalization and punctuation. It’s important not to use a common phrase or famous quote, as those can be easy to guess. Rather, make up a nonsense sentence that will be easy to remember, like Wow, 6 pink cats! This passphrase would take 380 billion years to brute force according to the chart above!
3. Passwords Should Be Changed Often
For many years, security experts have advised that users should change their passwords regularly, as frequently as once every 90 days. The logic behind this advice is that users often use the same password in multiple places, placing them at risk of compromise and credential stuffing attacks (see above). As such, proactively and regularly changing passwords was believed to be helpful in stopping this sort of attack in its tracks.
However, this advice has been recently challenged, with new research finding that the security benefits of regularly changing passwords are minimal. It turns out that when users are forced to regularly change their passwords, users change them in very predictable ways, such as incrementing a number at the end of the password or substituting one special character for another. This predictability allows attackers to still succeed at credential stuffing attacks by just trying a small number of variations on the stolen passwords.
What’s more, the practice of regularly changing passwords can result in users choosing weaker passwords that are easier to memorize (and easier for attackers to guess). Such frequent password changes can also create an administrative headache for companies trying to promote a strong security culture.
This research has led to the National Institute of Standards and Technology (NIST) to revise their guidance in Special Publication 800-63B to advise against arbitrarily expiring passwords. Additionally, Microsoft has removed the ability to set arbitrary password expiration in some of its software, and the FTC has published a fantastic summary of the research and changing guidance in this area.
It’s still important to defend against credential stuffing attacks, however the use of unique passwords, made easier with the use of password managers, is a significantly stronger defense. That being said, it is still important for users to change their passwords if they ever have reason to believe a password may be compromised.
Conclusion
Despite being integral to our digital lives, passwords are still a relatively new phenomena, and the research around what makes them secure is rapidly evolving. This means that what is considered the height of password security today may not be the same a year from now. It’s critical that we stay up to date on the latest best practices and remain open to having our preconceptions challenged. Doing so will help us continuously improve the security of our businesses, our operations, and our own personal lives.
Alex Hamlin, a member of ALTA’s Information Security Work Group, is head of information security for Qualia Labs Inc. He can be reached at [email protected].
Comments
You can follow this conversation by subscribing to the comment feed for this post.