One school of thought in the cybersecurity world says that passwords are outmoded and easily stolen or figured out, and that to ensure security, passwords need to be replaced with biometric indicators and other forms of authentication that cannot be easily faked.
However, passwords likely aren’t going to disappear overnight and will probably be used by businesses of all sizes for the foreseeable future. Yet if an organization is going to use passwords, there are some clear best practices they can adopt to make the experience better for both users and the organization — and enhance security in the process.
Jeff Atwood, a software developer, author, blogger and entrepreneur who co-founded the computer programming question-and-answer website Stack Overflow, dove into the topic recently on his blog Coding Humor. Atwood notes that the world is “absolutely awash” in dumb password rules, bad password rules and sites that shame other sites for having them (which are mainly arbitrary rules about special characters and password length).
Atwood argues that most users’ passwords are “too damn short.”
“These days, given the state of cloud computing and GPU password hash cracking, any password of 8 characters or less is perilously close to no password at all,” he says. “So then perhaps we have one rule, that passwords must not be short. A long password is much more likely to be secure than a short one … right?”
While most password rules require users to have a password with at least one upper case letter, one lower case letter, one number and one special character, Atwood argues that length of the password is key.
“As we built Discourse, I discovered that the login dialog was a remarkably complex piece of software, despite its surface simplicity. The primary password rule we used was also the simplest one: length,” he says. “Since I wrote that, we've already increased our minimum password default length from 8 to 10 characters. And if you happen to be an admin or moderator, we decided the minimum has to be even more, 15 characters.”
According to Keeper Security, of the top 25 most common passwords in 2016, only five of them had 10 characters or more, Atwood notes, “so if we require 10 character passwords, we've already reduced our exposure to the most common passwords by 80%.”
To make passwords more secure, Atwood advises IT leaders and workers, and developers especially, to follow these rules of thumb:
Atwood claims password rules don’t work and that they “heavily penalize your ideal audience, people that use real random password generators. Hey, guess what, that password randomly didn't have a number or symbol in it. I just double checked my math textbook, and yep, it's possible. I'm pretty sure.”
Arbitrary password rules also “frustrate average users, who then become uncooperative and use ‘creative’ workarounds that make their passwords less secure.”
Such rules are “often wrong, in the sense that the rules chosen are grossly incomplete and/or insane, per the many shaming links I've shared above.”
“One rule is at least easy to remember, understand, and enforce,” Atwood says. “This is the proverbial one rule to bring them all, and in the darkness bind them,” he adds, in a nod to The Lord of the Rings.
Why is password length so key? For one, it’s a simple rule and for another, Atwood says, “the data shows us it works; just download any common password list of your choice and group by password length. The math doesn't lie. All other things being equal, a longer password will be more random – and thus more secure – than a short password.”
However, he says IT pros should “accept that even this one rule isn’t inviolate,” and that a minimum password length of six characters on a Chinese site might be perfectly reasonable, but a 20-character password “can be ridiculously insecure.”
“If you don’t allow (almost) every single unicode character in the password input field, you are probably doing it wrong,” he adds. “It’s a bit of an implementation detail, but make sure maximum password length is reasonable as well.”
Atwood says “it is a terrible disservice to users when you let them choose passwords that exist” on lists of the most common passwords that have been found via data breaches.
“There’s no question that a hacker will submit these common passwords in a hack attempt — and it’s shocking how far you can get, even with aggressive password attempt rate limiting, using just the 1,000 most common passwords.”
According to Atwood, 1.6 percent of users have a password from the top 10 passwords; 4.4 percent have a password from the top 100 passwords; 9.7 percent have a password from the top 500 passwords; 13.2 percent have a password from the top 1,000 passwords; and 30 percent have a password from the top 10,000 passwords.
“Lucky you, there are millions and millions of real breached password lists out there to sift through. It is sort of fun to do data forensics, because these aren’t hypothetical synthetic Jack the Ripper password rules some bored programmer dreamed up, these are real passwords used by real users,” he says. “Do the research. Collect the data. Protect your users from themselves.”
Entropy, in this context, means a lack of predictability. Passwords should not be predictable. Atwood notes he was upset when he realized that a site he worked on was “perfectly fine with users selecting a 10-character password that was literally ‘aaaaaaaaaa.’”
“In my opinion, the simplest way to do this is to ensure that there are at least (x) unique characters out of (y) total characters,” he says.
Finally, Atwood says, IT administrators need to ensure that users cannot use certain passwords. Common cases of this include passwords that are the same as usernames and the same as email addresses. “Similarly, you might also want to block other special cases like password equal to URL or domain of website, [and] password equal to app name,” he adds.