Or should that be the pain of password complexity? Maybe even just the pain of passwords in general.
It’s time to login. OK, so it’s an upper case letter, a lower case letter, a number and a special character but how many characters for this particular password? We’ve all felt that well known pain as your fingers are poised over the keypad and all you want to do is log into your account but where did this brain challenge come from?
Back in 2003 a man called Bill Burr wrote the security bible on password security whilst working for the US Government. 14 years on and many irate worker password changes later, the now retired Mr Burr has changed his opinion on password complexity.
The original idea was that this style of complexity would provide difficult to guess and, as humans, we have found that to be absolutely correct. The problem is we’re all left guessing what our very own passwords are after having to conform to something that is just simply not natural to us. This is especially true when we have to change them periodically and keep it unique across the ever-growing amount of accounts we now have.
Of course we want to keep our accounts and data secure, though I don’t think the protection layer of our very selves not being able to access our own accounts and information is what password complexity was pitching at.
With all of the accounts we have in the modern world it’s difficult to remember all of our passwords, especially as we are advised not to write it down or re-use them (post it notes on your monitor or little black book anyone?), to add to the challenge we have the complexity of remembering which crazy concoction of requirements any particular given password requires, and just to keep you on your toes, the requirements are not all the same either.
So what have people been doing to fight the demand for recurring password changes? Usually stick an extra number on the end or increment the one that is already tagged on to our favourite P@ssw0rd7 or sport like F00tba!!123
By increasing the complexity to humans we are decreasing the security element that we are indeed supposed to be creating. So what do we do? The passwords that we use are not centrally managed by the company IT team, service provider or compliance body across the board therefore we are subject to varying policies. Consider all of your work passwords as well as all of your service providers you have for personal use such as utilities, emails and shopping sites then no wonder the word password brings a mental if not an audible groan.
Within the corporate space IT departments have more control in what password policies are in place so there is some light at the end of that particular tunnel.
So what is the word on the street from the big guys now? Well, it’s more words than word. The guidelines from America’s National Institute for Science and Technology have now been updated to advise that we use long but easy to remember passphrases. Advice that is more human friendly, that’s for sure.
A passphrase is a sequence of words that do not require the special complexity treatment our old passwords required, not to say you can’t include them if that’s your style (or should that be $Ty13).
While many different types of password harvesting/cracking techniques can be used, at the time of this post it is said that a password of P@55w0rd will take 24 days to crack by brute force while a password of JumpingUnicornsPen will take over 87 trillion years. Well, that’s according to random-ize.com.
Until there is a single adoption of password format requirements, we will have a mix of password complexities across our digital estate. That is until other technologies like biometrics and passwordless access are common practice.
Even with changing to unique passphrases, well for the system and websites that allow you to do this at least, we still have to pin down which site it is that now uses your all new mythical creature based passphrase (and what stationary they use)
So what can you do? Well, one option is to develop total memory recall, another option is to develop your own mental passphrase generator…and still remember what they are, or you could simply use a password manager.
Whatever your chosen way forward, it is important to take passwords seriously. Using default passwords are not a good idea, nor is using the very simple passwords like “password”, “123456” and “letmein”
After all, you lock your house, your car, your gym locker and probably even tie your shoe laces so keep your account and your data like your shoes…yours, secure, and not stood in the middle of a stinky mess.
While it can be annoying, the whole point of password complexity is security and that is absolutely for our own benefit, if not convenience.
Taking access criteria further, Multi Factor Authentication is now very popular and adds an additional layer of security to your accounts. Shortened to MFA, this essentially takes something you know – your password – and combines it with something you have like a token or an app on your mobile phone.
Check out our write up on MFA here to learn more.
For further information on data security and ways to keep yourself protected online, search our Media Central posts or contact us for a chat
