Share this article
Passwords are a necessary nuisance. We accept that we need passwords to protect our information, but that doesn’t mean that we like using them.
Surveys and analysis have shown that we often choose predictable passwords such as “Password0!” to work around most “secure” password policies. I have (however only for throwaway accounts that I will never use again and are not linked to any of my online identities, or any emails I use – please don’t try this at home!).
A question that often comes up with passwords is around the required complexity of passwords. I think this is a trick question because I may end up living with the consequences of my answer. My current Internet Service Provider (ISP) supplies a home modem / router to connect to their service. When setting up the device, the ISP forces me to select a password with a minimum length of 12 characters (this possibly uniquely identifies the ISP). This is a nuisance! I recently had to check the device to find out why my internet connection was unstable and was switching over to the standby link. It turned out to be a problem with the cabling to my house. (To the credit of my ISP, they fixed the problem the next day even though that was a Saturday. Even better, it was resolved without any pleading or time-wasting running through useless questions on an uncompromising call centre script. That scored a 10/10 in the follow-up survey!)
Why do I need a 12-character password for this device? I use it purely because the device has an automatic backup link, that’s all. In my set up, it’s just a modem – I have another device that offers much better Wi-Fi and control of my home network. So why the inconvenience of a 12-character password? The interface to the “modem” should only be accessible from my home network and not the internet. It could be that the ISP believes that the modem is not secure from the internet (actually, I don’t believe it is secure from the network side, because the ISP has more access to, and control over, the modem than I do. It updates the modem and changes some configuration parameters regularly – but that is for another blog article).
So, it may not be a surprise to those that know me that the first password I thought of using was one of Mr Spooner’s favourite’s, “ChuckUFarley”. But of course, I didn’t use that, as otherwise I would not be writing it here! I did however choose a password that I could remember. This is against the advice of Troy Hunt who wrote, “The only secure password is one you cannot remember”.
No One Size Fits All
There is a lot of inconsistency with password policy – it is no wonder that organisations are often confused about what their password policy should be.
A credit card PIN is effectively a password that it is only 4 digits long. Only 10,000 possible PINs! Why is that secure? I am sure there are people with multiple credit cards who mixed up the card they intended to use and entered the wrong PIN just one too many times, who could answer that question.
Then again, I use a 63-character random password for my Wi-Fi password because I know that at least one resident in my street has the knowledge, tools and computing time on a video card to find “weak” Wi-Fi passwords. Besides, there is no need for me to remember that password.
The important point here is that I think there is a better way to view passwords than what rules we need to enforce for passwords. Complexity rules are important but that should not be the focus. For me, the important question is, “what is the objective of using a password?”.
Why do we need passwords?
For credit cards, passwords protect a cardholder from someone stealing or finding a card and using it. Well today, that threat is not even protected with a password for sub-$100 contactless purchases, which the bank considers an acceptable risk. The odds of someone guessing the correct PIN within the limited number of tries permitted also has associated risks that have been proven to be acceptable to banks over the many years credit cards have been used.
The Wi-Fi password protects my home network. A guessable Wi-Fi password could mean that someone can access your Internet, TV, other devices, or potentially has the ability to view everything that is shared across the wireless network – emails, photos, videos, bank statements, work documents and the confidential customer information you need to access when working from home. I do not know what a Wi-Fi password protects for others, and consequently I would be foolish to try to convince anyone else that they should take my paranoid approach to Wi-Fi passwords.
Getting the balance right!
Password policy is a challenge for businesses – they need to understand how and why passwords are being used before they can set a reasonable password policy. A sensible policy is one that balances the inconvenience factor with the risks. It depends on many factors and in some cases relying on passwords alone leads to unacceptable risk. If you would like a second opinion, I would suggest the CIO of a company that has suffered a ransomware attack originating from a phishing attack that netted criminals a single remote network login password! Yes, multi-factor authentication is important for remote access. And that leads to another part of the equation.
Password complexity is only one factor for protecting information. There are greater risks from using the same password for multiple purposes (e.g. see https://haveibeenpwned.com/Passwords).
Poor usability can be a major factor in undesirable user behaviour. It could push users away from a secure system within an organisation towards using public cloud alternatives. In some cases, as with credit cards or more generally smart cards, the ability to guess passwords is severely constrained through other processes and allows what would otherwise be considered weak passwords to be used (but not too weak like 1234!).
Lower password complexity could also be acceptable if the information for verifying a password (so called password hash) is not easily available and the system uses techniques that severely limit the rate at which passwords could be tested. This principle allows secure storage systems to use passwords that are significantly shorter and less complex than the underlying cryptographic keys used to encrypt the actual data.
Password wallets can be a great aid, but only if the passwords wallets are secure.
A case for change…
General guidance for passwords is useful as it provides an insight into the requirement to secure systems against today’s attacks, and the password policies required to counter those attacks.
Considering the current recommendation for passwords from the Australian Cyber Security Centre is for Australian businesses to protect lower risk or “Official” information with passwords of a minimum of 14 characters of mixed type (considered the baseline level of protection), the inconvenience factor for passwords is growing. It seems that passwords alone are not practical for protection against typical threats that businesses face (see https://www.cyber.gov.au/acsc/view-all-content/guidance/authentication-hardening).
If long passwords are not acceptable to users, it could be time that businesses reassessed the role of passwords in their overall strategy for protecting their information technology assets.
Maybe if we all had a better understanding of what passwords are protecting, we would make better choices for setting password policy (Mr ISP?), and take better care of passwords, or have greater acceptance of more modern multifactor authentication solutions.
For advice on passwords, or other aspects of cybersecurity, please contact us.
Speak with a Tesserent
Tesserent is a full-service cybersecurity and secure cloud services provider, partnering with clients from all industries and all levels of government. Let’s talk.