Ignore everything you’ve learnt about strong passwords

It doesn’t feel so long ago that the only passwords I had to remember were my login to my Windows NT desktop at work (big beige box), the pin code for my phone (big silver brick) and perhaps the combination for my gym locker. Ok, maybe that last one I didn’t use as often as I should have.

I now yearn longingly for those halcyon days to return.

Fast-forward 20 years or so and it seems we never go more than a few minutes in any given day without punching a password or pin code into some system or the other, be it at work on our laptops, websites, smartphones, business systems etc., and the burden of trying to remember which password goes with which service given the sheer volume we need to remember is a heavy one to say the least.

The situation is not helped by the fact that so many of the systems we use every day require us to use so-called complex passwords. I’d love to be able to use ILOVECATS as my Amazon password but no, I’m forced to use something like C4tsR00L! instead*. More difficult to remember but more secure, and so better at keeping the bad guys from breaking in and buying stuff from my Amazon account though, right? Wrong.

Both NIST (National Institute of Standards and Technology) in the US and NCSC (National Cyber Security Centre) in the UK have recently released statements supporting research that suggests that, rather than aiding good security, complex passwords are considerably less secure than we once thought. Why? There are several reasons, here are a few:

  1. Complex passwords are difficult to remember, meaning we’re more likely to write them down to avoid forgetting them. A password written on a scrap of paper that then falls out a wallet/purse when you’re paying for your shopping is worse than useless, especially if you also write on that scrap of paper the service the password is for.
  2. Short passwords, regardless of their complexity, can be cracked by a computer quicker than you might think, as you’ll see below.
  3. With so many complex passwords to remember, we may try to make things easier for ourselves by using the same password for multiple systems, meaning one lost password could mean multiple systems being compromised.

Many of the rules that accompany these complexity requirements, e.g. the requirement for enforced and regular password changes, cause similar issues and only increase again the number of passwords we need to remember, ultimately reducing and not improving security.

So, what do NIST & NCSC suggest we do about it? The solution may be rather unintuitive but is backed up by the numbers and should be music to our collective ears. Let’s look at an example.

If we take my password from above, it’s easy to imagine how one might forget C4tsR00L! as a password. Did I put an uppercase C at the start? Was that a 4 I chose instead of an A? A question mark or an exclamation point at the end? Can’t remember, I’ll just write it down, it’ll be fine…. Now apart from the risk of losing that scrap of paper, a standard PC could crack that password in 4 weeks. That’s not particularly quick but it’s still quick enough to be a problem.

Now what if rather than that short, complex password, I chose a password that was long but was perhaps a phrase, quote or line from a book that I can easily remember? Let’s say I’m a Sigmund Freud fan (they do exist apparently) and choose his quotation “Time spent with cats is never wasted” as my password. Easier to remember for sure, so I don’t need to write it down to remember it. Oh, and that standard PC would take 4 quindecillion years to crack it (that’s 7,200,000,000,000,000,000,000,000,000 times the age of the universe). Slight improvement on my previous choice.

If more evidence is needed, Bill Burr, the chap who came up with these now discredited password policies in 2003 has now publicly apologised and admitted he was “barking up the wrong tree”. This is a problem, as most services we use every day are still playing catch-up and using these now-debunked recommendations, as are many business systems. In fact, I recently came across a client who would only be permitted to tender for a certain piece of business if they could evidence the fact that they had a password policy in place that satisfied Bill’s original password recommendations. This was a source of much frustration to the IT department in question, who had to retain password policies it knew was less than perfect.

It’s not all about password complexity though. There are a number of additional services and techniques that can increase the security of the systems we access every day while, in some cases, reducing the need for us to remember screeds of PINs and passwords such as:

  • Biometric authentication such as Apple’s Face ID or Microsoft’s Windows Hello
  • Password managers that will store all your passwords for all your services in a secure app protected by one REALLY good password
  • Delegated access which allows you e.g. to login to your Strava account using your Google username and password. Two services, one password. Win
  • SSO (single sign-on), which your employer may configure to allow you to access a number of business-related services with a single username and password
  • Multi-factor authentication (MFA) – essentially having two passwords instead of one, the second of which changes on a regular basis, usually every 60 seconds. MFA is available on many major online services such as eBay and PayPal and is one we highly suggest enabling. TSG also strongly suggests enabling MFA on critical business systems where possible and practical

But in the end, the move towards simple and provably secure passwords that are easy to remember and hard to forget is a major step towards the promised land of zero written down passwords, zero incidents of the bad guys breaking into your Amazon account and zero headaches for you.

*My password for Amazon isn’t anything to do with cats incidentally. I’m more of a dog person.