Close up on a password input field on a surface with binary numbers, a blueprint schematics and two padlocks on each side.

When is a Password Good?

Sérgio Tenreiro de Magalhães, PhD

When is a Password Good? Never!

Passwords have been around for a long time, but are they what we need to preserve the security of our systems? No, not really. Passwords worked well when technology was not ubiquitous and only technology professionals had to access computer systems - and only a limited number of computer systems, at that. Things changed, and now passwords are a legacy that is doing more harm than good.

The Password Paradox

Most people will say that a password has to be complex, which means that it has to be long and contain letters, numbers, and symbols to be safe. How long should a password be? General knowledge suggests passwords should be eight characters long; in other instances, it’s suggested that eight characters are not enough anymore.

Generally speaking, industry experts agree that we should not use the same password in more than one system to avoid a rippling effect if (should I say “when”?) one of those systems becomes compromised. This means that we must have dozens of different passwords to be able to access the multitude of systems we use on a daily basis.

Another well-established best practice recommends that we change our passwords frequently because data leaks involving passwords are common and we want to limit the period in which we are vulnerable.

To minimize the success of dictionary attacks - which use words instead of trying every single possible combination of characters - we do not want our passwords to have meaning. The name of your cat is off the table unless your cat is called XuYpp34lkm9MmN$#33F and you change your cat’s name every two months.

It is also common knowledge that, unless you have a safe where you can store your password notebook, it is not a good idea to write down your credentials or have a file with all your credentials. It is certainly not a good idea to write your password on a post-it note under your keyboard. That means that a password must be easy to memorize. Actually, the National Institute of Standards and Technology (NIST), in their Digital Identity Guidelines, identifies complexity as a vulnerability, recognizing that users are more likely to write their passwords down, or store them electronically, in an unsafe manner when forced to memorize highly complex authentication secrets.

The paradox is clear: passwords cannot be complex, have no meaning, be different for every system, be frequently changed, AND, simultaneously, be easy to memorize.

What About Password Managers?

Password managers are convenient. Instead of memorizing dozens of complex passwords, a password manager gives us one place to store them all in and we ensure that we have strong credentials to protect access to them. Sounds reasonable.

However, just like any other software, password managers have vulnerabilities that attackers can exploit. There have been situations where exploitation has actually happened, as was the case of last April’s attack on Passwordstate (you can read the company’s advisories here).

Knowing this, do you really want to put all your eggs in one basket?

Password Best Practices For Users

There are, at least, two different ways to look at password best practices: the system administrator’s perspective and the user’s perspective. The user is always limited by the parameters defined by the administrator and, for that reason, we might find ourselves having to work around a set of rules, instead of choosing the password that best works for us.

I promise to write another post about password best practices for system administrators and talk about what parameters they should be imposing on their users. For now, let us focus on what we should be doing as users.

Use sentences, not words.

Passwords are not saved exactly as you create them. A representation of your password is stored in a database. Attackers keep lists of billions of sequences of password representations that they then use whenever they get their hands on leaked databases that contain passwords.

However, because the computational cost of calculating that representation increases with the number of characters, those lists usually cover only smaller sequences of characters. By using long sequences of characters, you decrease the probability of an attacker finding your password, even if there’s a data breach in that system. At the same time, longer sequences of characters are very hard, if not impossible, to break using brute force attacks (when the attacker tries every possible combination of characters) or dictionary attacks (when the attacker tries all the possibilities from a list of probable words). And sentences are easier to remember than longer sequences of characters.

If the system you are using does not allow you to use spaces, use underscore instead.

Never share your password recovery answers.

Online quizzes shared through social media have become an entertaining trend. For example, if you answer a few questions in one of these online quizzes, your results will tell you what type of personality you have, what the characteristics of your soul mate are, or what Marvel superhero is most similar to you. Answering those questions is a fun way to spend some time and it makes a great post to share with friends, right? But did you consider that some of the questions you are answering might also be your recovery token in some system? A question such as, “what is your favorite car?” says a lot about your personality, but it might also be the only thing standing between an attacker and your password.

Use different usernames.

It is easy, and probably your preference, to use a strong password and the same username in the various systems you frequent. If an attacker is trying to hack into your account, passwords associated with that username, even if leaked a long time ago, are the place to start.

Imagine that you are a hacker trying to attack the account of user myusername and you know that this username has used old passwords like GoodDay1!, GoodDay2!, and GoodDay3!. It doesn’t take a genius to find the pattern here. These passwords are clearly not wise choices, but if they are associated with three very different usernames, there would be no way to connect them to myusername. Therefore, if your system allows you to choose your username, be creative.

Keep a notebook in a safe.

You can buy a safe to keep in your home for less than $100 and it is well worth the investment. If you are going to follow the rules and have different sentences for different systems, you are going to forget them. The idea that we should never write down a password is only valid if we are keeping the record in an unsafe place. And NO, your house is not a safe place. You do not want to have your house robbed and, on top of that, have to worry about the security of your online systems. Keep a record in your safe. It will help you to keep track of your usernames and passwords and you will find it useful down the road.

Stay Safe

Passwords work best if combined with a different factor: either something the user has (a smartphone, an access card, etc.), or something the user is (biometric authentication). But that’s another post, and I promise to write that soon. In the meanwhile, stay safe.

About the Author

Sérgio Tenreiro de Magalhães, PhD

Program Director

Dr. Sérgio Tenreiro de Magalhães is Associate Professor and Chair of Cybersecurity at Champlain College Online.

Prior to Champlain, Dr. Magalhães was a researcher of the Software Engineering and Management Group (SEMAG) of the Algoritmi Research Center (University of Minho) and an Assistant Professor of the Catholic University of Portugal - Braga. He is a member and reviewer of a number of organizations, including the NATO Multinational Cyber Defense Education and Training project and the Editorial Committee of the International Journal of Electronic Security and Digital Forensics.

Dr. Magalhães has a PhD in Information Systems and Technologies from the University of Minho (Portugal). His research interests focus on information security, intelligence, and performance monitoring, and has published widely on security-related topics.

Download Cybersecurity Careers Ebook

Learn more about careers in cybersecurity. 

Sunset over Lake Champlain from Champlain College campus in Burlington, Vermont

Download Cybersecurity Careers Ebook

Champlain College will not share or sell personal information. Submitting this form constitutes your express written consent to agree to receive e-mails, texts, and phone messages from Champlain College at the phone number(s) and email address provided in this form.