Secure passwords have never been our strong suit

Protect Both Yourself and Your Organization

Written by Dustin Ormond, PhD

Since the first use of a password in 1961, passwords have been known to be insecure and easily hacked. This may be partially because, ironically, “the MIT researchers who pioneered the passwords didn't really care much about security,” according to Robert McMillan of The Wall Street Journal.

McMillan writes that the standard convention which we now use today was part of a guideline by the National Institute of Standards and Technology (NIST) in 2003. This led to the introduction of complex passwords containing a combination of lowercase and uppercase letters, numbers, and symbols as well as requirements to frequently change passwords.

However, the result has been less than effective, resulting in nothing but aggravation, decreased security, and poor habits. Therefore, this is a call to individuals and organizations alike to completely readjust their thinking regarding passwords—and the time to change is now.

How to create a password that withstands hackers

Check out this quick story:

During a recent password audit, it was found that one user was using the following password:

MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento

When asked why such a long password, they said they were told that it had to be at least 8 characters long and include at least one capital.

While this is a light-hearted example of a password requirement being taken somewhat too literally, it’s certainly the right idea. When it comes to creating a new password, focus on increasing the length of the password rather than the complexity.

Let’s look at the math behind that statement. With a six-character password comprised of only uppercase or lowercase letters, the number of possible password combinations is more than 19.7 billion (19,770,609,664 to be exact).

However, adding one more character to increase the length to seven characters results in over 1 trillion password combinations—1,028,071,702,528! Compare that to the possibilities of a six-character password with complex characters added in, which results in only about 262 billion combinations (262,144,000,000).

In summary, it’s clear that complexity increases the number of combinations but not near as much as adding additional characters. Additionally, complex passwords are much more difficult for users to remember.

What makes a password weak and how are they cracked?

In my cybersecurity course in Creighton University’s Business Intelligence and Analytics program, students register for my website using any password they want. Prior to storing the passwords, I encrypt each one, making it virtually impossible for me to reverse-engineer the original passwords.

However, many passwords can be cracked by running a series of attacks such as brute force or dictionary attacks which basically pass a bunch of different passwords through the same algorithm. To illustrate how quickly this can be done, I test each student’s password against 30 billion different password combinations in an hour.

Some passwords that have been cracked include Mad3l3ine, 0pensesame, Shadow034, Baller123, and Hello123!. If you notice, these users tend to follow the same poor practices:

1. Dictionary words or phrases
2. Well-known character substitutions
3. Numbers at the beginning or end
4. Capitalization at the beginning.

A popular comic by XKCD demonstrates this dilemma of complexity vs. length.

Current password practices aren’t helping

Maintaining hundreds of passwords for various apps and web sites has become a daunting and time-consuming task—one that’s made more difficult by inconsistent implementation of complex passwords.

For example, some applications allow all characters while others are more restrictive (i.e. blocking special characters &%#@+_). Some require a specific number of characters. This results in users questioning which password they used for each site. Was it a “+” or “t” or was it an “@” or “a”?

Company policies requiring users to occasionally change passwords just make matters worse. Brian Barrett writes in Wired that users make small transformations to their passwords including increasing/decreasing a number in the password, changing a letter to a symbol, switching the order of digits or characters, or eliminating characters. Oftentimes, these practices result in diminished security because people who are forced to change their passwords “don’t put a whole lot of mental muscle behind it.”

What you can do to protect yourself or your organization

Despite all these issues, the time to engage in more secure password practices is now. Here are my recommendations:

What individual users should do:

1. Visit https://haveibeenpwned.com/Passwords and check if your password has ever been found in the compromised dataset of over 500 million passwords. If it shows up just once, change it immediately.
2. Reach out to your organization and encourage them to discontinue the poor practices above.
3. Use passphrases which either combine several words together or uses the first character of each word as the password. Don’t use phrases that are commonly used together (e.g. song lyrics, clichés).
4. Use a password manager such as LastPass, 1password, or Dashlane to manage your passwords.

What entire organizations should do:

1. Allow users to use any characters in their password but increase the length requirement to a minimum of 12-16 characters.
2. Require users to change their passwords only if something warrants the change (e.g. the recent Twitter bug).
3. Remove password hints. Users use hints that are very close to their passwords. Rather, allow the user to reset the password.
4. Remove knowledge-based authentication (i.e. What is your mother’s maiden name?) as many of the answers to these questions can be found on the internet.

Dustin Ormond is an Assistant Professor within the Business Intelligence and Analytics program in Creighton University’s Heider College of Business.