Is there anything more likely to make a non-techie yawn than a lecture about passwords? “Make them hard!” “Don’t put them on sticky notes!” “Change your passwords like you change your underwear!” So much lecturing when people just want to get into their online accounts! Well, guess what, my friends. That advice is actually pretty outdated. Let’s talk about real-world, up-to-date dos and dont’s for passwords!
Passwords: So Last Decade
Quite a bit of the old advice out there is either based on old technical limitations or a lack of understanding about how people actually think. For example, requiring frequent password changes—this is NOT necessary.
Passwords Are Not Underwear
According to the National Institute of Standards and Technology (NIST)—the US government department that provides some of the most well-recognized, current advice on digital identity—websites that require users to reset their passwords every few weeks or months are just causing people to use (and reuse) easily cracked passwords. Should users change their passwords after a breach? Yes, definitely. Should they change their passwords every month? No. The way NIST puts it, “Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future.” So, yeah, requiring frequent changes does not have the effect people think it should.
Hard for a Computer, Not for a Human
Did you ever see someone stuck with a password like “$*&fas09iur3jfsk#” that they created because of requirements to use letters, numbers, and certain other characters? Yes, that’s a fine password if a site allows for it, but you know what else really works? “My cowlick speaks batteries.” Or “My cat paw no tail!” Those are passphrases, and a nice long passphrase is actually better for most people than a random character generator. (The smart folks at NIST said that, too.) Just make sure the passphrase isn’t actually a grammatical sentence and you’re golden.
Reality of Recording
It’s been a long-standing tradition to mock people who write their passwords on sticky notes and put them on their computers. But that said, if I had to choose between a person who is more comfortable with writing their passwords in a little black book they keep in a drawer at home near their computer or someone that uses a single password for all their accounts because technology is hard, then by all means! Bring out the book! This really boils down to a question of what risk are you trying to manage—someone physically breaking into your house and stealing your passwords, or someone hacking accounts online.
The Brave New Password World
If frequent password changes, gobbley-gook passwords, and physically recording passwords somewhere is the old guidance, is there anything new? Why yes, yes there is! Well, relatively new. Let’s start with my personal favorite, multifactor authentication.
Multifactor or Second Factor Authentication (MFA or 2FA)
If a website or service is doing The Right Thing, then just asking you for your password isn’t going to be enough to get you in. It should also ask you for another piece of information, either a one-time code it sends you, a scan of your fingerprint, or even a code from an authenticator app like Google Authenticator or Authy. This is called either second-factor authentication or multifactor authentication (2FA is a subset of MFA; there are Super Top Secret Secure sites out there that will require a third or even fourth factor. Multiple factors are a thing.)
There’s a really good reason for requiring at least one additional factor.
Let’s say that your username and password were hacked. If the hacker has that, and MFA wasn’t enabled, then they can just waltz in and do whatever they want. If it’s your banking password, then there goes your money as they transfer it away. If it’s your language learning app, there goes your progress as they delete your account. And so on.
But if MFA has been enabled, then even with the password, the hacker is kinda stuck. There is a short-lived piece of information they don’t have, and that’s a way harder nut to crack. Can it be done? Yes, there are techniques that will help a hacker work around MFA security. But that has to be very targeted to an individual; wide-scale account compromises become way harder.
Screening Your Own Passwords
The moment has come. It’s time to set a password. For some reason, you aren’t using a passphrase (probably because outdated sites are limiting the number of characters you can use for your password. Bad site! Bad! No biscuit!) You might want to just do a quick check that you aren’t using one of the really super common passwords out there.
Wait, you’re not a hacker! How are you supposed to know what other people’s passwords are? As it turns out, lots of people tend to use the same passwords. There are websites dedicated to sharing the top 10, 20, or even top 100 common passwords out there on the Internet. Even baby hackers can pick up that list and have a decent chance at hacking into a bunch of accounts. It won’t take but a moment for you to do a quick scan of those lists to see if the password you set your heart on (don’t say ‘qwerty,’ don’t say ‘qwerty’) is on the short list of common passwords out there.
Password Managers
Password managers are MY FAVORITE THING, at least when it comes to basic Internet security hygiene. This is the electronic version of the Little Black Password Book mentioned earlier. Even with the use of passphrases and MFA, it’s still a really good idea to use different passwords for different sites. The thing is, that really adds up! One study out there says that the average person these days has around 100 passwords to worry about. That’s just too many to remember.
Some mobile devices have a built-in password manager. Some web browsers do, too. The trick is to find a password manager that actually lets you work across platforms and devices. Probably the top-rated one out there right now is LastPass (which has both a free and a premium version), and 1Password (which is entirely subscription-based, and is rated pretty highly, too).
One bonus to a good password manager is that they’ll actually do the password screening described earlier for you.
The Future of Passwords
If you talk to people who actually work in the digital identity and cybersecurity space, they will tell you how much they want passwords to just not be a ‘thing’ anymore. The good news is that there is a LOT of work underway to make that dream a reality. One particular effort coming out of the FIDO Alliance really looks brilliant. In that brave new world, a user can unlock the security by “swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.”
Technology is constantly evolving. The guidance you may have learned when you first started surfing the web is probably out of date. For that matter, the guidance you learn today might eventually become obsolete thanks to efforts like FIDO making passwords entirely a thing of the past. Keep your eyes open!