Password Complexity and Sound Practices

CANFIELD, Ohio — On my list of top 10 most frustrating things to deal with as an IT consultant, poor password practices top out at No. 2 (and we’ll talk about No. 1 next time).  

By this point in time, everyone has certainly heard the old tropes: “Don’t use the same password across multiple sites or applications,” and “Don’t write it on a sticky note and put it on your monitor.” 

But at least once a day I see someone do it.  Still.  In 2020.  After IT professionals for 20 or more years have been repeating the same advice over and over again.

For those of you who look up from this article and see an offending sticky note on your monitor right now, let’s go over the foundations of good password hygiene.

Many are under the false impression that an overly complicated password is inherently more secure and that’s not usually true. Traditionally complex passwords, something like P@$$w0rd for example, are easily “guessed” during certain types of hacking attempts by accounting for common substitutions. 

Everyone knows the @ symbol is frequently used in place of the letter A, so that’s a built-in condition from the start. Plus, the more complicated a password is to remember and type, the more likely it is to be written down or stored improperly. 

Usually the longer a password, the harder it is for computers and other automated systems to attempt to break (remember length=strength!) 

So we recommend clients use a sentence or a series of unconnected but easy to remember words. Something like “Robert-runs-elephant-boat!” is relatively easy to remember and very easy to type but is also a whopping 26 characters.  

That’s far more secure than a shorter password that uses a lot of @’s and $’s and !’s in place of similar-looking letters.

Contributing to this problem are websites, applications and other systems that enforce a narrow set of password requirements.  We’ve all signed up for a website and have been told “the password must be between 8 and 16 characters and include at least one of the following special characters: ! @ # $ % &.” 

These restrictions are horrendous and are the result of lazy or outdated methodologies.  Publishing the criteria is especially problematic because you’ve significantly narrowed the field for a hacker to try to break in. 

While it would be good to avoid systems that enforce these kinds of restrictions, especially the typical 16-character limit, that’s not a practical option, which is why we recommend using a different password for everything. 

Is it a pain? It can be. But it also means that if credentials for one system are compromised, it doesn’t bleed over into other systems.  

Your work email may be very secure but sharing a password between your work email and your LinkedIn account, which has been breached several times over the last few years, makes you a pretty easy target. 

You’re only as strong as your weakest link and a hacker doesn’t need to break into your most secure platform in order to get to you.

All this brings me to my last point, and it’s about as controversial as IT industry standards can get: whether to rotate and change your passwords frequently. 

I say yes.

The organization that writes the book on these kinds of things the  – National Institute of Standards and Technology (NIST) – says no.  

The practice of frequently rotating passwords, say every 30 days, is considered by NIST to encourage poor practices such as writing passwords down and using the same ones repeatedly. 

The institute asserts that if you have to change a password frequently, you’re more likely to use a common password and just keep adding numbers to the end. Something like P@$$w0rd1, P@$$w0rd2, P@$$w0rd3 and so on, which provides no real additional security.  

I agree with the reasoning, but I think it does nothing to address the underlying problem, which is human behavior and a general unwillingness to undergo a very small inconvenience for the sake of huge gains in security.  

And what about password managers? As long as it’s a well-known, trusted vendor that takes overall security as well as the encryption and protection of data seriously, I say go for it. 

Password management software helps strike a balance between convenience and security and I’ll go out on a limb and say even a bad password manager is better than storing passwords as a contact in your phone (seriously, please don’t do this!).

The author, Robert Merva is the owner and CEO of Avrem Technologies, an IT and cybersecurity consulting firm based in Canfield. 

Copyright 2020 The Business Journal, Youngstown, Ohio.