Passwords

By Roddy

Passwords, pah! Old-fashioned, insecure. Don’t cha just hate ‘em?

Well no, they’re OK, especially if handled thoughtfully and used with varied user identities (see more on this at the bottom of this post)

Yes, experts (notably Microsoft) have been predicting or promoting the abandonment of passwords as an access control method for many years, but here they still are. Sure, you’ve got your Multi-Factor Authentication tokens, biometric identifiers, Authenticator apps and SMS confirmations, but there are complexities and weaknesses will all of these, making each of them unsuitable for particular types of people or uses. And for most people, all these controls are channelled through one device, their mobile phone, which they carry with them and use in public all the time. If a miscreant gets hold of your phone and overcomes the single authentication barrier – a passcode, facial recognition (proven to be defeasible), or fingerprint (also defeasible) – they can access your text messages, emails and apps. They can then can overcome all those additional controls.

The UK’s National Cyber Security Centre (NCSC) has good advice on managing and using passwords. The key points of this, for individuals, are:

• Choose passwords which you can remember easily so that you don’t have to write them down
• Don’t reuse passwords for any important services, such as online banking
• Make sure that they are long enough to make brute-force attacks unlikely to be effective in a reasonable timescale – years, ideally centuries.
• Even if you choose a long password, don’t include any easily guessed elements, such as your name or birthday or the name of the online service or website.
• Don’t replace a password unless you think that it has been exposed.

There is an argument for password complexity – using as wide a range of characters as possible – but the arguments against this are stronger. The length of the password affects its security more than its complexity does and using a complex character set makes the password harder to remember.

There is no theoretical weakness in a sufficiently long password (at least 12 characters) which is just ZZZZZZZZZZZZZZZ or 99999999999999, if an attacker only uses brute-force methods. Stumbling on a correct password of 12 zeros could take just as long as finding one of 5678123978788745. However, any competent attacker attacker will use additional methods, including trying obvious password strings, like ‘password’ or repeated character strings. So a password of 12 Zs probably isn’t actually a good one.

You can make your login controls even more effective if you vary your user identities (your login names) too. You can have lots of email addresses, either as separate accounts (especially on free services like Gmail or Hotmail) or as aliases on one account. If an attacker has to guess both your user name and your password to gain access to your account, their problem is squared.

You probably don’t want to add to the burden on your memory by having a separate email address for every login page but it is very helpful to have separate ones for important services, i.e. ones were your personal security or money are at stake. Online financial services, like banking, will probably already give you a unique identifier but you can do the same thing on a shopping site or a social media platform by using a unique email address. Stay safe.