Passwords should be Easy (Really Guys)
…and the bad habits of companies…
Preface
While many are catching the current, enforcing extremely complex policies and excessively frequent password changes, I am now embracing a simpler loose approach: passwords should be easy!
I am not the first one to be talking about it, so let’s take the short and easy road: what are good passwords requirements?
A good password should be:
- hard to guess
- easy to remember
- not reused
- f̶r̶e̶q̶u̶e̶n̶t̶l̶y̶ ̶c̶h̶a̶n̶g̶e̶d̶
- easy / quick to type
So, point 1 is the usual: an easy to guess password is actually bad habit, and this goes for simple ones, counting in brute-force and dictionary attacks on the password hash as well. While hashing is another subject, which should go into another whole article about safe storing, someone with access to our hashed password would lead to try to at least make it harder to crack.
I consider point 2 to be connected to the first, because for a password to be useful, you need to be able to use it. And to be able to use it, you have to remember it. But it must also be hard to guess by someone else. So the password should be something only you can trace.
Point 3, not reused: as long as you have an easy to remember (2) and hard to guess password (1), there shouldn’t be a problem in using different passwords for different systems. This goes by good practice and common sense, everyone is professing this but hardly anyone can achieve it without using an overkill password manager.
About password managers, I’d like to make a few notes: while it is good practice, and something really useful, the risk you are taking (the average user is, at least) is to be only moving the issue and reverting to having a single point of failure in your security chain. I got tired of listening to people talking about how they safely store their credentials, using uncrackable passwords inside a vault, showing off “their post-it” with an easy one to access the vault itself.
Strikethrough point 4, because it’s the concept which makes the whole thing crumble badly. How is it possible to achieve easy to remember (2), hard to guess (1), not reused (3) credentials, and still frequently change them? The more often you are enforcing passwords changes, the more likely you are getting back simple variations in the nature of incremental integers. Given it’s common for wordlists to consider variations, and once a cracker discovers the habit and recognizes a pattern, how much difficult would it be to guess the new-old-same-password-plus-a-number?
A simple common example would be a data breach: your password of three years ago got leaked, but you keep changing it, so now it’s different! It’s a pity that the leaked one was “MyBadPassword1” and, assuming a monthly change, now it will probably be something between “MyBadPassword1” and “MyBadPassword48”.
Point 5: you must be able to type it, really guys what the heck.
Mathematical stuff
I took some time to make some vague calculations, considering an average of 75,000,000 cracks per seconds based on charset / wordlist.
Given a password length between 3 and 22 characters, a 95 character set would take from 0.011 seconds up to 9.77e+17 universes to crack.
Wikipedia states:
Oxford Dictionary has 273,000 headwords; 171,476 of them being in current use, 47,156 being obsolete words and around 9,500 derivative words included as subentries.
Approximately, a 171476 words set, 3 to 22, would take from 2.13 years up to 4.29e+89 universes.
Now, without pretending to be using difficult formulas, I made a comparison of a randomly generated complex password with a simple phrase with some variations. The comparison was made by taking count of length and character size, common entropy value of the password (considered hard to crack), plus two arbitrary modifier chosen by me: easy to remember and type speed.
The result is the following table, ordered by “Fairness value”, in descending order, where the highest value is a mix between how secure a password is and how much I consider it usable, in terms of recall and typing capacity:
Following the reasoning, “! am always hungry even after Dinner 1981” seems to be a better password than “nt8/b?Y`RWqH-6C;”.
To further test it, I tried on OnlineDomainTools Password Checker:
nt8/b?Y`RWqH-6C;
iamalwayshungry1981
! am always hungry even after Dinner 1981
Memory tricks
About human memory and the evaluation “Excellent, as far as you can remember it :)”.
Some time ago, I got all nerdy about the “mind palace technique” (the method of loci), where:
the subject memorizes the layout of some building, or the arrangement of shops on a street, or any geographical entity which is composed of a number of discrete loci.
What I brought home is a little more understanding on how “human storage” works, plus some tricks to directly put some concepts in archive.
Long story short: highly emotional value concepts and images get directly stored in a long-term memory section of our brain, meaning you can probably recall a long high impact story better than a short 6 digits number.
When to change password
There are some factors to keep in considerations, but generally speaking passwords should be changed when leaked. Point.
Conclusions
There are exceptions, of course, as well as specific cases where this shouldn’t apply, nonetheless the general concept is that a longer, less complex, easier to remember password, provides better credentials and security than a complex randomly generated one.
Administrative credentials, on the other hand, are a totally different subject, but forcing users into extreme, impossible policies, can only result in bad habits and general risky behaviour.
In the end, feel free to use your password manager, I know many have a lot of credentials to keep track of, but never forget that vaults are softwares with vulnerabilities and their data could be leaked too.
For companies, think about raising awareness and spreading education, reducing the number of password changes required to a reasonable minimum, or on specific cases. Consider threat intel solutions.
You want your user base to be smart and cultured, not some copy-paste monkeys to treat as poor idiots because of something that you taught them badly.
