Passwords have problems. They can be too weak, reused on multiple systems, deliberately shared with other users, and socially engineered. But that’s not the password’s fault. The problem is the people.
Passwords and Human Nature
Passwords may be children of the flower-power era, but we can’t be dippy-hippy and free-spirited with them. Ever since Fernando J. Corbató invented the password to provide some privacy and security for users of the Compatible Time-Sharing System multi-user computer in the early 1960s, people have had problems with picking strong, unique passwords.
Human nature means many people prefer convenience to security. It’s called security friction. It’s the push-back you get when a security enhancement requires a change of workflow, an additional step, or some thought and effort on the part of the user.
Having a single password is easier, right? You only need to remember one thing. You can use it everywhere and you can get really fast at typing it. If you’re forced to change your password periodically just change the number or the date you’ve tagged on the end. If a colleague wants to use your account, well why not hand over your credentials?
Some of the blame sits with the password owners, obviously. But perhaps some of the blame sits with those of us who are failing to get through to these users. We need to figure out how to change our message so that its content is embraced and adopted instead of being viewed as an annoyance and ignored.
And we know it is being ignored. A 2021 report by NordPass looked at a database of 275 million passwords, and all the usual suspects are still present in the list of most frequently used passwords.
The Most Frequently Used Passwords
Whenever there is a data breach the exposed data—sooner or later—turns up on the dark web. It might be for sale or, like the 533 million personal records of Facebook users, is freely available. Different organizations take copies of the breached databases and extract the email addresses and passwords. The most well-known of these is the Have I Been Pwned website.
It provides a search facility that lets you check whether your email has been caught in any data breaches. If it has, you’re told which websites or organizations the data came from. You can change your password for those accounts and secure them again. And everywhere else you’ve used that same password.
This is the list of the top ten most popular passwords found in data that was breached in 2020. The numbers in parentheses are the number of times the password was found in the database.
- 123456 (2,543,285)
- 123456789 (961,435)
- picture1 (371,612)
- password (360,467)
- 12345678 (322,187)
- 111111 (230,507)
- 123123 (189,327)
- 12345 (188,268)
- 1234567890 (171,724)
- senha (167,728)
According to the Experte Password Checker all of these can be cracked in less than one second, apart from “picture1” which would take about one minute. But the biggest threat is that these passwords are already in the dark web in databases ready to be used as ammunition in credential stuffing attacks.
Whether the password in the database came from one of your accounts or not, it’ll still work on your account. The top entry “123456” was seen in the breach databases 2.5 million times, but it had been exposed in 23.5 million breaches.
It’s as astonishing as it is depressing that people are still using passwords like this today. And the same thing goes for people creating platforms that will allow users to create passwords like this. Bad passwords should be trapped and rejected automatically at the time of their creation. If the users aren’t going to follow guidance under their own cognizance, system designers need to make it impossible for accounts to be created with insecure passwords.
Password Managers and Policies
In the workplace, you can provide a password policy that dictates what is and what isn’t an acceptable password. Tighten up password checking rules on all systems so that robust passwords are enforced. Promote the use of pass-phrases that link three or four unrelated words connected by punctuation.
Although it might seem counter-intuitive, consider following the advice of the National Institute of Standards and Technology (NIST), the UK’s National Cyber Security Centre (NCSC), and Microsoft and remove requirements for passwords to be changed periodically.
Regular password changes add nothing to security and inadvertently encourages bad password choices. It coerces users to retain a base password and modify it each time a change is forced, usually by adding a number or a date to it.
It’s much better for people to pick robust, unique passwords and retain them indefinitely. Passwords should only be changed when the user leaves the organization or there is suspicion that the password has been compromised.
Password Managers Take Away a Lot of the Pain
Encourage or downright enforce the use of a company-approved password manager. These will create unique, robust passwords for every account, for every user. Extremely strong passwords are automatically created for you, automatically entered for you, and you only have to remember one password—the one for the password manager.
Password managers are multi-device and cross-platform, so you can benefit from them on all of your devices. The passwords are stored using a type of encryption that requires a key from your device to decrypt them. Even if the password manager company suffers a breach, your passwords are not exposed.
Password managers also provide other security benefits too. Phishing emails often contain links that send the unwary user to a lookalike website that harvest credentials. The password manager will not enter their credentials because it won’t recognize the bogus URL.
Two-factor authentication adds another layer of protection. It requires two things from the user. Something they know, their password, with something they have, such as their smartphone. An app on your smartphone will display a one-off code that must be entered along with your password.
This means that even if a password is exposed in a breach the threat actors won’t have access to that account. Note that SMS-based authentication is no longer considered secure. Use systems that require a fob, dedicated device, or smartphone application.
Multi-factor authentication takes it a step further. As well as something you know and something you have, it requires something you are, such as the owner of your unique fingerprint, iris, or voice.
Unfortunately, two-factor authentication isn’t universally available. There’s a great many systems—almost certainly the majority of systems—that are still reliant on the time-honoured ID and password pair of credentials. That’s changing slowly, but the ID and password model of authentication is going to be around for a long, long time.
Practical Steps to Take
- Policies: You need to capture your requirements for acceptable passwords and the rules for safeguarding them in a policy document. If it isn’t written down it isn’t a policy. It should cover the strength of passwords, pass-phrases, and give guidance on the protection of passwords. Never write them down, never share them, and never use them on more than one system.
- Password Managers: Specify which are your company-approved password managers, and encourage or enforce their use. There are many to choose from. NordPass, Bitwarden, and 1Password are all good products with a free plan or a free trial so that you can see whether they suit your needs.
- Two-Factor and Multi-Factor Authentication: Where two-factor or multi-factor authentication is available, use it. And remember that just because you have added another layer of authentication the quality, protection, and uniqueness of your passwords are just as important as ever.
- System Design: If you write software make sure weak passwords are filtered out and rejected as accounts are created. You can include reject-lists of passwords than can never be used. You can also search only online resources such as Have I Been Pwned to check whether a password has been found in previous data breaches. You can download the entire database of compromised passwords from Have I Been Pwned if you wish to host it locally.
- Education: For as long as “123456” crops up in lists of the most commonly used passwords we’ve got to keep trying to drum home the essential basics about passwords.