Passwords are ubiquitous in terms of modern information security. So much so that considering if the current password policy we have is adequate rarely occurs. It was good enough five years ago, or ten years ago, or fifteen years ago when we put it in place! Unfortunately, the continued rapid advancement in offensive cyber capabilities may have left your comfortable, familiar standard in the dust.
Is your company still using an 8-character password? That is the standard right? An 8-character password, and we are good, we use complexity, and we require them to be changed every 90 days. We are cutting edge!
Perhaps not so much. There are several things wrong with this approach today, but many companies are stuck in 1995.
The first problem is that password cracking algorithms and raw computing power have advanced enormously from the time when the 8-character password was set as the normal minimum. We all appreciate the business advantages of Moore’s law and enjoy looking at our Pentium processors in the Intel museum. Moore’s law has accrued for the bad guys too though, and they have put it to use with extreme effectiveness in the modern hacker toolkit including password crackers. Your normal 8-character password can be cracked on a laptop in seconds now even with some complexity.
Using just one online password tester, online-domain-tools.com, and a reasonably complex password Mys0ngs! what are the estimates? It is 8 characters and has caps, smalls, numbers, and a special character. Wunderbar! Let’s see. With a medium-sized botnet at your disposal you can crack that in under a minute. It is still relatively safe perhaps from a laptop-based, but it is probably susceptible to a dictionary-based laptop attack in short order. For the Defense Industrial Base (DIB) this is even more worrisome where adversaries may have access to much more sophisticated tools and computing power.
What about changing it every 90 days? Doesn’t that help? Wouldn’t 30 days be even safer? It sounds like it would, but in reality most studies show that requiring frequent password changes in general causes more harm than good. Some National Institute of Standards (NIST) guidelines today even recommend not having an expiration period for passwords and only change them as needed. Others however, like NIST 800-171 which all DoD contractors are required to adhere too, do require it. That said, shorter expiration is not better. One research paper from the Carlton School of Computer Science said it well, “Many security policies force users to change passwords within fixed intervals, with the apparent justification that this improves overall security. However, the implied security benefit has never been explicitly quantified. In this note, we quantify the security advantage of a password expiration policy, finding that the optimal benefit is relatively minor at best, and questionable in light of overall costs.”
Some companies have taken the approach of shortening the expiration time as easier than extending the length of the password to add security. This is exactly the wrong approach. The prime directive on passwords it that no matter what, longer is better. Length is the single most important characteristic of the security of a password. Even without complexity like adding a special character, longer is better, and short reset periods only encourage users to defeat security principles by having easy to crack passwords, writing and posting them, and reusing the same weak passwords repeatedly.
So, what should companies and individuals be thinking of when setting their passwords? Here are some quick hints on how you might easily craft memorable, and very hard to crack passwords.
Think in terms of a phrase instead of a word. What are your favorite phrases? The boss always says “What is this? A holiday?” so perhaps Whatisthis?Aholiday?
Use your favorite songs. Like the “The Sound of Music”? Ok so probably nobody but me likes it, but you have still seen it and remember some of the songs. “Doe a dear a female dear, Ray a drop of golden sun” could be Dadafd1970Radogs! Or it might be doeadearaf@1965 or… several ways to play that, but try it! These can become fast and easy to remember.
Use famous quotes. 1945Neverevergiveup…. if you like Winston Churchill.
Keep in mind using special characters is always good, but length is the most important attribute. [ and ] are the two least used characters in passwords according to some research making them great to use. Give them a try along with the other assortment of less common special characters like {+^ etc. [Everythingisap!] would be take several trillion years to crack with current technology.
Shift your methods. Having Mypassword2019 and updating it to Mypassword2020 is not a good plan. Hackers, particularly high-end nation-state hackers looking for the weak link can take your password from a previous breach, let’s say MyNetflixPassword2019 and see how MyMarriottPassword2020 works. There are even some new automated algorithms that can spot patterns and try variations automatically using AI/ML techniques. Soooo, use this as a chance to change up your methods.
Along with the things to do in making your passphrases here are some things NOT to do:
Don’t use keyboard patterns. Qwertyuiop is on the list of top 100 passwords and will be a standard in password cracking attack. 1q2w3e4r5t is not good either.
Don’t use extremely common phrases. Password12345 is good example. Iloveyoualways1 might be another. Forbes has a nice article here on the top 100 worst passwords for 2020.
Don’t use your name, your birthday, or our company name in your password.
Don’t use the same password for everything. In the modern world this is hard, when everything needs a password. Consider using more complex passwords for your higher risk activities like your company login and your bank accounts. If you use a very complex password but use the same one everywhere you greatly increase the possibility that it will be leaked in someone else’s breach. You don’t want your #CompanyHackedYesterday password to be the same as your bank account.
Think your account has never been seen on the dark web? Try entering your email here and see ’;-- have i been pwned?
Relating this to Defense Industrial Base (DIB) security challenges and compliance, perhaps it is time to relook your password policy. Compliance standards do mandate password expirations, but a shorter time does not improve your security. It can actually make things worse! Length is the best protection, so if you can, make them longer, and then consider increasing rather than decreasing how often your users have to change them.