Are Password Rules Making Us LESS Secure?
Isn't it maddening when your bank, insurance company, grocery store and a dozen other websites demand that you follow a complicated set of rules when coming up with a new password? It's bad enough that these passwords are hard to remember. But new research shows they actually make it EASIER for hackers to compromise your account. Read on for the scoop…
Pardon My Password Rant
Normally, when I describe a problem I make sure to also describe a solution. But this problem has no easy solution that you or I can implement. (Well, there is one thing that will help, see below.) So please pardon me while I rant about passwords, security, and the diminishing thereof.
I am sick and tired of password rules that make my life harder and don’t increase my online security. That includes password rules like these:
Password must contain one uppercase letter. Password must contain one lowercase letter. Password must contain one numeric character. Password must contain one special character (!#%, etc.) Password must be 8-10 characters long. Password must contain at least one runic symbol found in the first edition of Lord of the Rings.
Okay, I made that last one up. But by imposing all of these restrictions, a website narrows a user’s choices, and actually results in LESS security. Here's why… fewer possible passwords makes a hacker’s job easier; his software has to try fewer character combinations before guessing the correct one. So password rules like these actually diminish the security of passwords. One of my favorite cartoons on xkcd.com made this point in a humorous way.
Rules like the ones above also make it difficult to create a password that the user can remember. As a result, users try to satisfy the rules as simply as possible, and end up with a less secure password. I'll bet that a high percentage of passwords created to comply with those rules end up being composed of a common dictionary word, followed by the number 1 and an exclamation point. Does “Monkey1!” (or something very similar) look like a password you've recently used? You can bet that a hacker’s software will try passwords matching that pattern, and sooner rather than later.
These rules can sometimes make it harder to use password manager tools like LastPass, Roboform or Dashlane that automatically generate and remember secure passwords.
Many sites don’t even tell you the rules until you violate them; that’’s extremely annoying when you have just typed a password twice (once to confirm). Similar hidden rules may exist to make you even crazier, like these:
Your password cannot match any of the last five passwords you used. Your password cannot contain your last name. Your password cannot contain your username. Your password cannot contain the name of the current month. Your password cannot be your email address.
We Need Some New Password Rules
The United States National Institute for Standards and Technology (NIST) is formulating new guidelines for password policies to be used by U. S. government systems and sites. “No composition rules” is one of the principle guidelines. NIST has figured out that giving users free rein to create their passwords results in greater security. Hopefully, the private sector will follow NIST’s “best practice” as it often does.
NIST’s guidelines say you need at least 8 characters in a password; that’s in line with most sites’ requirements. But NIST says the maximum password length should be 64, not some arbitrarily skimpy length like 12 or 16. It turns out the length of a password is more important to its security than any other factor.
A large maximum length also enables easily-remembered passwords that are still secure. Take the password, “My_horse_is_named_Ed”. That’s 20 characters. I bet you can remember it more easily than “Xv6Tu!kL,” which is only 8 characters. Yet a 20-character password is orders of magnitude more difficult to crack. The cartoon I referenced above uses the example password "correct horse battery staple" to show that four common words (with no capital letters, numbers or symbols) can be a very secure password.
NIST and private security experts also recommend checking a user’s password against a list of the most common passwords. Everyone knows what those are, including hackers who try passwords like “12345678” or “passwordpassword” before any other combinations.
Like I said, there’s not much the average user can do to revolutionize password composition. But with NIST rolling out sensible guidelines, we may witness the slow death of password rules in our lifetimes. Oh, and I did mention that there's one thing you can do to improve password security. I've been talking about two-factor security for a few years here. See my article An Extra Layer of Security to learn how to lock down your password.
Your thoughts on this topic are welcome. Post your comment or question below...
This article was posted by Bob Rankin on 21 Mar 2017
|For Fun: Buy Bob a Snickers.|
[HOWTO] Copy Old Hard Drive to New PC
The Top Twenty
Geekly Update - 22 March 2017
There's more reader feedback... See all 51 comments for this article.
Post your Comments, Questions or Suggestions
Free Tech Support -- Ask Bob Rankin
Subscribe to AskBobRankin Updates: Free Newsletter
Copyright © 2005 - Bob Rankin - All Rights Reserved
Article information: AskBobRankin -- Are Password Rules Making Us LESS Secure? (Posted: 21 Mar 2017)
Copyright © 2005 - Bob Rankin - All Rights Reserved