Ars Technica just recently posted an article about modern password cracking capabilities. Many of the user commentators on that article have clearly seen the original xkcd comic about password complexity. The Ars Technica article really highlights the sorry state of password security today.
If passwords are so weak, then password “best practices” are just an exercise in futility, especially as cracking capability improves. At the very least, current password “best practices” need review. They were established when users had fewer accounts and cracking capability was in its infancy. Given the rather bleak prospects of passwords, I don’t think the traditional password “best practices” really make much sense anymore. Instead, I propose a more practical set of “good practices” that should hold over password-users until sites start adopting newer forms of authentication. These “good practices” are much more realistic and easier for average users to adopt.
* GROUP TOGETHER LOW-RISK SITES THAT SHARE A PASSWORD
First, you need to evaluate your accounts to determine which ones are low-risk. A low-risk account is one that basically has limited consequences if an unauthorized user gains access. A compromised low-risk account would be annoying, but you would not have urgent need to recover access. Think of sites like video games, weblogs, clubs, or even various streaming sites. I’d even say social media sites are low-risk, but some might argue otherwise.
Your goal is to reduce the number of passwords that you need to manage. Reducing the password burden allows you to make use of stronger passwords. You might find that you actually visit a lot of low-risk sites, so you shouldn’t waste time and effort memorizing unique strong passwords for each one. One decent password can easily cover numerous low-risk accounts.
However, you do want to compartmentalize any damage. If one site gets hacked, then all sites that share the password are suspect. Therefore, don’t resign all of your low-risk sites to one password, because you’re exposing that password to more frequent attacks, and if the password leaks out, you’d have to update your password on many more sites. But five or six sites to a password works quite well.
Also, try to determine how frequently you use each account. Sites that you rarely use should probably share a password with many others, or else you’ll likely just forget the password. On the other hand, sites that you frequent can be part of a smaller group with a stronger password, since you’ll have a lot of practice entering those passwords.
High-risk accounts have more at stake, but some of these accounts (such as utility bills and such) may still be eligible for password sharing, as long as the groups are small. High-risk accounts (typically in finance, health, or safety) are worthy of the strongest passwords that you can handle. At the top of the chain of risk is your E-Mail account, which should never share a password with any other account. Your E-Mail address is your one true network identity, and handles reset/recovery for pretty much every other account.
My last post gave a naive overview of password complexity; in reality, passwords typically consist of a lot less entropy because people tend to choose passwords that are easy to remember. Less entropy means fewer combinations for a given length. To get the theoretical strengths of a password, it needs maximum entropy. And to get maximum entropy, a password must consist of completely random characters where every allowed symbol has an equal probability of showing up.
You can try to come up with your own random password, or maybe you want to get fancy and pull a random set of characters from three entropy sources, then shuffle them together. But for most cases, you can just use some software to generate a random string. We’ve even created a simple client-side password generator for your convenience. Just avoid any results that resemble dictionary words, even if they have character substitutions (such as a ’3′ for the letter ‘e’). If you get a result that resembles a word, re-roll it! And remember: size is important. High-risk accounts should use the longest passwords, preferably at least 12 characters.
Conventional wisdom suggests that, if a password is easy for you to remember, it’s easy to crack as well. Therefore, the best passwords are hard to remember. But are they really that hard to remember?
* WRITE DOWN PASSWORDS UNTIL YOU HAVE TRAINED YOURSELF TO USE THEM
The best way to learn any new password is to just use it! The more you use it, the more it sticks in your mind. (That’s why you should group infrequently accessed accounts together with shared passwords. You get to use each password more frequently, which greatly improves retention.)
Unfortunately, learning a long and random password is very difficult under the current password “best practices” because they discourage users from keeping hard copies of their passwords. The user has to create and remember a complicated new sequence without any external assistance, which is very mentally taxing.
In reality, writing down a password isn’t so bad, as long as nobody else ever sees the password. Therefore, if you create a super strong password, write it down until you’ve used it enough to recall it on demand. Every time you use the password, you reinforce the memory. To speed up the process, you can practice typing in the password for a few minutes until you’ve impressed the character sequence in mind and body. You can also speak/whisper the letters as you type them if voicing the password helps you remember (as long as nobody is listening).
If you’re going to record the password, try to use pen and paper (like on a small post-it note) instead of storing it on a computer, and definitely don’t store it online. Ideally, you should keep the physical hard copy close to you – maybe in your wallet or a locked drawer. Then, to be safe, you should destroy the hard copy as soon as you’ve learned the password, especially for high-risk accounts. Find a shredder, a fireplace, a vat of black dye, or some concentrated bleach – use your imagination – to destroy the written record, just like the good old days of information repression!
* DON’T CHANGE PASSWORDS UNLESS THE PASSWORD HAS ACTUALLY BEEN COMPROMISED
I come across many password “best practices” that suggest periodic changes to the password. To this day, I still don’t understand how this questionable “best practice” became gospel, and I also don’t understand why people continue to propagate it. The only reason why you would ever need to change your password is if an unauthorized user managed to learn the password. If the user already had a strong password, he would just be wasting a perfectly effective password and all the effort spent learning it. And the new password may not even be as strong as the old one! Furthermore, changing passwords doesn’t necessarily increase security; if anything, frequent changes decrease security because users will end up selecting easier passwords to limit the overhead of learning truly strong passwords.
A few years back, a Microsoft researcher wrote about the futility of periodic password changes. Basically, the moment a hacker steals a password database, the clock starts ticking. He must use the data before the security team discovers and nullifies the attack. If he plans to sell account data on the information black market, he needs fresh data, because the data loses much of its value once the victim discovers and responds to the intrusion.
Periodic password changes strain a user’s mental capacity and add tremendous overhead in account management time and effort. But if you change a password and nobody is there to witness the previous one, has it really changed? In this case, no. Regardless of how often you change your password, a successful attack will expose your current password. The hacker is not going to save your password for use in the future because the site will soon discover the attack and force you to change your password. Therefore, unless you change your password every few minutes, unprompted password changes will not disrupt any attacks.
However, when an unauthorized user gets access to your password, you will eventually find out, so save yourself the pain and futility of constant password rotations. The better solution is to train yourself to recall a few very strong passwords, and only change a password if it somehow leaks out to the wild. Since you won’t change passwords very often, you can train yourself to use much stronger passwords.
* MOST IMPORTANTLY, PREPARE FOR THE INEVITABLE PASSWORD THEFT
As I’ve said in the past, good passwords may be hard to crack, but they are still vulnerable to other attacks: phishing, key-logging, or simply attacking a site with weak security. And unfortunately, as the Ars Technica article pointed out, cracking capability grows over time, so even good passwords have a limited lifespan.
It doesn’t matter how strong your password is or how good your personal password practices are. In the end, assume that malicious users will always be able to find a way to gain access to your password. Therefore, don’t sit on your ass and think that anyone is invincible on the net. Take some responsibility for your own identity. Assess your security needs, compartmentalize the potential damage, and have a plan to respond to loss of identity.
That’s right, you need to come up with a worst-case scenario plan! If you know your accounts, their relative risks, and the way you group them by password, then you can easily come up with countermeasures when something goes wrong. Then you’ll have a quick and decisive reaction to any breach. Having a plan for the worst case scenario is the final step to true security.