Imagine all of the ways in which people think up their passwords.
Some go for the name of the football team they support, a favourite film or their date of birth, with a couple of extra characters thrown in for added security.
“Humans will try to find ways of coming up with passwords that they can remember easily, which makes sense, but on the other hand, these passwords are going to be fairly weak,” said Professor Luca Vigano, a member of the cybersecurity group at King’s College London.
Others select a string of random numbers and letters, a jumble that, it is hoped, will defy even the most accomplished fraudsters.
Each of us has to find ways to come up with passwords because there is little sign that they are disappearing.
There have been predictions that password use would decline thanks to alternative methods of authentication, yet the need to register for countless websites and online services means that we are actually employing more of them than ever.
Indeed a 2017 report from the password manager LastPass suggested that the average business user has to deal with as many as 191 passwords. No wonder password reuse for multiple accounts is rife, despite the security risks.
Although passwords are central to so much of what we do on our computers, some of the advice people are given when choosing their password, such as being told to incorporate particular types of character, can be of limited value in preventing fraud.
“If you are a security manager for a company and you’re told to make sure your company stays secure and has good passwords, if you add requirements you’re not going to be accused of not doing enough. Nobody could say whether it was a useful requirement,” said Professor Lorrie Faith Cranor, a former US Federal Trade Commission chief technologist who researches password security at Carnegie Mellon University in Pittsburgh, United States.
The common request that users should regularly change passwords, for example, can be counterproductive, as it increases the burden of memorisation, which may lead to unsafe practices.
The United States’ National Institute of Standards and Technology has updated its password advice to take account of improved knowledge in recent years of what works when it comes to passwords.
Cranor and her collaborators have been involved with many of the studies over the past decade that have led to this greater understanding. They and others have been helped by the availability of leaked datasets of passwords, which can yield useful information when analysed without causing any additional harm to those whose data was leaked.
“People started becoming interested in using these for research purposes,” said Dr Michelle Mazurek, assistant professor in the Department of Computer Science at the University of Maryland.
This strengthened knowledge helps to balance out factors that have helped fraudsters in their efforts to guess passwords. These include, says Cranor, the faster speed of today’s computers, and the availability of computers that are part of botnets able to run “brute force” attacks to guess passwords, testing billions of potential passwords in a few hours.
Botnets make light work of the tricks that many of us employ when choosing a password, such as adding a number or letter at the end of a common word.
Employing online experiments in which thousands of people participated, Cranor, Mazurek and others have used a scientific approach to understand password security. One set of tests saw more than 50,000 volunteers come up with a password that conformed to certain requirements, such as being at least 12 characters long and including digits, symbols and lower and uppercase letters.
This type of research suggests that adding such characters is worthwhile – but these characters should be put somewhere in the middle of words. If they are added at the end, the password is much easier to guess.
Another suggestion is to think up a sentence that has probably never been said before, and to use the initials of each word as the password. A further idea is to take the initials from the words of an obscure song or poem.
Password security is, however, about more than just choosing a good password, because there are myriad ways in which passwords can be compromised apart of being identified through a brute force attack (automated guessing by computer) or manual guessing (such as trying out dates of birth).
As Britain’s National Cyber Security Centre details in guidance notes, passwords can be intercepted while being transmitted, and are vulnerable to social engineering attacks, key logging, shoulder surfing (when a person observes another individual typing the password) or the searching of IT infrastructure. All these have to be considered when it comes to security.
How passwords are used – or reused – is also important.
“The key thing is to make all of your passwords unique and not reuse, and make it hard to guess. It has to be different to what other people [choose],” said Cranor.
Choosing unique, strong passwords is especially vital for more important accounts. But which accounts are the most important?
“People think a bank account is, but email is where all you other accounts send to. If the password for your email account gets compromised, that makes every other account vulnerable,” said Mazurek.
Remembering the dozens upon dozens of passwords that each of us has is next to impossible, unless we reuse passwords. This is seen as particularly unwise, since if one online account is compromised, or if the attacker correctly guesses one password, then access to all other accounts with the same password is easy. There is an alternative to such reuse.
“Reusing them is much more dangerous than storing them, if you store them in a sensible way. A Post-it Note on your monitor is maybe not the best way,” said Mazurek.
A better solution is keeping a note of passwords on an encrypted file on a computer, or using a good-quality password manager.
Multi-factor authentication, in which an additional security measure is used in addition to the password, offers another safety net for those not good at remembering complex passwords.
“It’s OK to have a short password that’s easy to remember, if it’s combined with proving your identity in another way, like receiving a text message with a one-time code that you input in addition to your password, or biometric face scanning or fingerprints. The trend is towards multifactorial or two-form [authentication],” said Vigano.
Advice on choosing passwords from Ramy Al Damati, the UAE-based enterprise security expert for the Middle East, Turkey and Africa region at the antivirus and internet security company Kaspersky Lab:
- Use unique, complex passwords. This means passwords that combine letters, numbers and special characters.
- Passwords should be at least eight characters long – ideally 15.
- Don’t use personal information, such as a spouse’s or a pet’s name.
- Don’t use the same password for multiple accounts. If a company suffers a data breach and your login and password is compromised, the attackers can use the same credentials to compromise other online accounts.
- If you find it hard to remember lots of complex passwords, install a password manager that can remember them – you just need to remember a single master password. Alternatively, write down your passwords, preferably in the form of a “code”. Don’t keep them where someone else could easily find them, or in the same place as your device.