Trying to make passwords more secure can often end up having the opposite effect, for two main reasons:
- When people are faced with complex rules — at least one uppercase letter, number, symbol etc. (we’ve all been there) they will do the simplest thing possible. Most users will capitalise the first letter in their password, or all of them, and add a “1” to the end. Sound familiar?
- Complex passwords made up of random generated characters are much easier for a computer to guess than for a human to remember.
For evidence of how people choose passwords, you need look no further than the 10,000 most common passwords discovered in security breaches, as published on Github or this page on Wikipedia. As I write, the second most common password is “password”,“Password” is number 176, “password1” is at 207, “PASSWORD” is at 710, and “Password1” checks in at 2968.
In Top of the Pops fashion (for those of you who are old enough), here’s the current top 20:
As for the relative ease with which a computer can guess a random string as opposed to a well-crafted passphrase (see more on using these below), XKCD tells that story better than we could.
We don’t do what we’re told, and that can cause big problems
No matter how many times people are told never to use the same password across many sites and services, most still do just that. It’s human nature to take the quickest and easiest option, and the one that means we won’t forget our passwords and get locked out.
When dxw cyber carries out attack simulations, we search published data breaches for details of known users to help us identify the passwords they use to log into other places. When we find their passwords, we try them out against their accounts in the system we’re targeting.
During a recent attack simulation, this simple password lookup — that requires no technical skills at all — gave us access to the entire system at the highest possible level.
So what’s the good news (or help, what should I do now)?
Once you understand how people interact with a system, and the reasons why the rules don’t result in the right kind of behaviour, you can take a different approach.
Some tips for individuals
As an individual you should:
- swap passwords for passphrases: combinations of meaningful words in a string. They are easier to remember than complex character strings and, if they are long enough, harder to crack. You can generate these with online tools like this one, inspired by XKCD. We definitely recommend this approach to ensure the phrases are truly random
- use a password manager: these are applications that act like a secure vault, where you can store all your logins and passwords. Most will also generate passphrases for you when creating a new login or updating an old one. Speaking of which, you should also…
- update all your logins with randomly generated passphrases: this might take you a bit of time, but it’s worth it. Start with the most sensitive things like email, financial and medical accounts, and update the others when you use them
Some tips for businesses
As a business, you should:
- update your password policy and systems so people can use passphrases. Many policies require symbols and numbers, which do little to guarantee security (as we explained above)
- select a suitable password manager for your staff, and train them in how to use it
- once the policies and tools are in place, make sure all users update their passwords. If you have lots of users, we recommend you do this gradually
- read the National Cyber Security Centre’s guidance on updating your approach to your password policy
Finally, as an individual or a business, you should always enable two-factor authentication (2FA) when it’s available.
2FA means you need to provide two ways of proving your identity. It’s used all the time by organisations like banks, for example, to take money from a cash machine, you need the card and your PIN. To log into your online banking application, you need your account details and a one-use time-limited code, generated by a custom gadget or sent by text.
Once you’ve done all that, we probably won’t know your password (but you still need to watch out for phishing).
A passwordless future
Humans are not good at passwords, but computers are. So maybe the long-term solution is to get rid of passwords and replace them with stronger ways of proving your identity, such as passwordless “magic” links or QR codes. We also expect to see an increasing use of standards like WebAuthn, which can be used to help prove your identity at the touch of a button, while also protecting you from phishing attacks.
We’ll blog more about this soon.
P.S. If you want to hear directly from Glyn Wintle, our CTO, about all things password related, here’s his talk at Ignite London 7.