-
Home
-
Knowledge Base
-
Caleb Hill
- Power & Finesse: The Fine Lines of Password Strength
Knowledge Base
Power & Finesse: The Fine Lines of Password Strength
From the Marx Brothers ‘swordfish’ to your school locker combination, passwords have persistently presented themselves as a perpetual installation of any security initiative. When computer systems want to prove that you are who you say you are, they ask you for a string of characters that is hopefully not ‘password’.
But security times are changing. Could multi-factor and passwordless authentication finally push passwords into obsolescence? When a password was all that was necessary to log into an account, its strength was imperative: now that we have push notifications and even physical keys to prove who we are, how important are strong passwords?
Short answer: they’re important. The more nuanced answer: no security of any kind (much less information security) is about doing the bare minimum. Nations do not secure their citizens by stationing armies at the borders and firing the police force. Like both onions and ogres, security has layers: the stronger each layer is individually, the stronger they will all be together.
Thus, to have the strongest security possible, we need the strongest passwords possible. This article explores the more-nuanced-than-expected world of how to create truly strong passwords in a way that can be practically implemented in the real world.
The Problem with Passwords
In the words of Taylor Swift, “It's me, hi, I'm the problem, it's me”: the problem with passwords is us. Creating an objectively strong password is, in a vacuum, incredibly simple. Tell a program to randomly generate you a 64-character password using every hieroglyphic on the keyboard and you’ll be almost completely safe.
All you have to do is remember it.
This is where T-Swift’s lyrics come in: our brains can’t handle 100% secure passwords. According to an analysis from the University of Oslo, many users know that they are supposed to have secure passwords. They may even be aware of what good password habits look like, they simply weigh the cost of having to create and maintain secure passwords, then decide it’s not worth it.
Coupled with the fact that the same analysis found many IT professionals to be likewise lacking in secure password habits, this implies that simply educating end users on the requirements for passwords is not sufficient. When it comes to logging into accounts multiple times a day, the allure of shorter, more memorable (and thus predictable) passwords is too strong, causing passwords to be anemically weak.
Let the Robots Take Care of It
Despite their other shortcomings, modern computing processors are multiple orders of magnitude faster at performing calculations than humans. A human might solve a mathematical mystery over the course of fifty years, but a computer can then solve the resulting equation a billion times in the blink of an eye. The overwhelming processing power of computers is what creates the need for complex passwords: if computers are so smart, why not let them remember our passwords?
This, essentially, is the idea behind password managers. Password managers, such as Keychain (for Apple users), Bitwarden, and Lastpass, link all of a user’s password to a single account which is secured with a master password, along with multi-factor authentication, if possible. Most, if not all password managers, can be set to automatically fill in the passwords for sites that it recognizes from your database of store secrets. In any case, the passwords can be copied with a single click and pasted in wherever they are needed.
NIST 800-63B, our government’s guidelines for managing digital identities, mentions password managers in passing (pun intended) in its first appendix:
Verifiers SHOULD permit claimants to use “paste” functionality when entering a memorized secret. This facilitates the use of password managers, which are widely used and in many cases increase the likelihood that users will choose stronger memorized secrets.
This is far from a glowing review, but it constitutes an important nod from the government’s foremost body of guidance on security standards.
With or without official encouragement, password managers have the potential to make the cost of truly secure passwords low enough for the standard user to pay without a second thought. Not only do password managers have password generators which can make sure that your logins are randomized, long, and crunchy with hard-to-type characters, it can also remove the need for you either remember or type these passwords ever again. This is a tantalizing possibility for the user to whom passwords are a pest.
However, even the seemingly elegant solution of the password manager has issues:
- Users have to actually use the password generation function in the password manager instead of simply uploading their same tired list of reused passwords;
- Password managers can be hacked;
- There is a learning curve to using password managers that can create administrative hassle.
Password managers make compliance with and creation of good password hygiene a lot easier, but improvement is not a given. Especially if the migration to a password manager is performed via a blank switchover or is something that a user is forced into by their company, they may not feel any sense of responsibility towards creating better habits.
Unstandardized Strength
Strong passwords are a vital part of an onion-style, defense-in-depth approach to authentication. Strong passwords make sure people are who they say they are when they are logging in, while weak passwords degrade the integrity of the whole chain of proof.
But what makes a strong password? We’ve insinuated that long strings of gobbledy-gook qualify quite nicely as password powerhouses, but what’s the standard? How strong is strong enough?
With characteristically vague diplomacy, NIST dodges this question in an interesting way. In SP 800-63B 5.1.1.2, NIST says the following: “Verifiers SHOULD offer guidance to the subscriber, such as a password-strength meter.” At the end of this sentence is a link to a study performed by Microsoft with a hopeful title (“From Very Weak to Very Strong: Analyzing Password-Strength Meters”) but subversive content. By the third sentence of the abstract, the study is already calling password meters “ad-hoc” and describing how they consistently label weak passwords as “strong” or even “very strong”.
While directing companies to provide password meters, Microsoft simultaneously recognizes that there are few (if any) truly good options. Many password checkers simply examine password randomness (how long it would take a program to randomly guess the password value), but do not consider common password structure patterns in conjunction with dictionary attacks and leaked passwords from other websites. Only a truly random password needs to be guessed using truly random methods.
Another shade of nuance in standardizing password complexity requirements involves the difference between online and offline attacks. A short-but-sweet study (also by Microsoft) found that even weak passwords can provide sufficient protection against brute-force attacks provided that accounts lock out after a few unsuccessful tries. However, this only works if the attacks are against live online user sessions. Accounts are often compromised because the company owning the accounts was breached, thus leaking password hashes. These hashes can then be guessed at top speed by highly intelligent cracking algorithms, which drastically changes the meaning of a “strong password”.
Though password meters could conceivably be the answer to the question of communicating standards for password strength to the end user, they largely fall short of truly informing password creation or safeguarding against horribly insecure passwords. Studies cited by the Microsoft study above did provide encouraging news that password meters do guide users to choose better passwords… but still not necessarily good ones. Microsoft concludes their study by saying:
“…it is evident that the commonly used meters are highly inconsistent, fail to provide coherent feedback on user choices, and sometimes provide strength measurements that are blatantly misleading.”
Password meters fail to account for the ability of password-cracking tools to recognize ways in which people try to make their password harder to guess such as substituting numbers or characters for letters, turning words backwards, or permutating breached password lists. In an environment of pure chance, ‘PasswordDrowssap!!3’ is unbreakable. However, a little extra context and historical data could quickly turn it into a sitting duck.
How shall we then password?
As is so often the case in cyber security, the journey of a single step has led to 900 miles-worth of the wrong questions with no answers, the right questions with wrong answers, and the right answers with a boatload of extra questions. Try to say that three times fast.
Password managers are good but not perfect (plus they cost money and must be implemented with compassion, tact, and assurance), password meters are bad but not the worst, and users are not the enemy, but they are not on our side either. Making passwords the strongest they can be is easy, making passwords strong enough is hard.
Fortunately, even the most existential cyber crisis can be scaled back to the basics:
- Don’t use passwords found in a password breach
- Don’t use passwords containing dictionary words
- Don’t use repeat characters in your passwords, like ‘444’, ‘!!!’, or ‘abcd1234’
- Don’t use “relevant” words (e.g. the name of the service, name of the company, address, username, etc.)
- Use a password manager such as Bitwarden or LastPass
Number #1 is hard to do for the average person: this is a blacklist password policy rule that IT admins can implement on the back end.
Numbers #2-5, however, are eminently accessible for end users. Craft a password that you would never want to have to remember, then store it in your password manager. Or, better yet, let the password manager generate and store the password for you automatically. Whether your company officially provides one or not, using a password manager to control authentication for all the accounts you need to log into can not only make logging in less of a hassle (once you get comfortable using it), but also allow you to enhance the strength of your passwords across the board.
In conclusion, passwords are both an ancient relic and a modern reality. Secure authentication requires strong passwords, but truly strong passwords require strong, even superhuman, memories. Password managers are a viable outsourcing option and may even make secure passwords more convenient than insecure ones.
Finally, as helpful as strong passwords are, they are just one piece of the puzzle. With the same gravity as the Thing saying “Don’t do drugs” in Fantastic 4, I tell you (in no uncertain terms) “User multi-factor authentication”. That little extra step will put you leagues ahead of even the strongest passwords. Don’t forget the onion of security: defend in depth, do your part across multiple layers, and together we can keep the world’s information secure.
Cybersecurity Awareness Poster
 |
Click here for a cybersecurity awareness training poster that Intrada Technologies clients may print and post to meet cybersecurity insurance requirements. |
About the author
Contact Us
|
Contact Information: |
Hours of Operation: |
OUR FOCUS
Intrada Technologies is a full-service web development and network management company with a focus on creating ongoing, trusted partnerships with each of our clients.
We make sure our clients have what they require to run their businesses with maximum efficiency and reliability, as many of their needs are mission-critical.
Our unique, collaborative partnerships allow us to provide our clients with the assurance that we will be there when they need us.