According to a 2017 Wall Street Journal article, former National Institute of Standards and Technology (NIST) engineer Bill Burr (no known relation to the comedian) regrets what he wrote for the institute in 2003.
And he has good reason.
You probably don’t know what this NIST report is, but the recommendations it includes are probably familiar to you, and if they are, you probably know why Burr regrets his role in making them widespread.
The 2003 recommendations related to how to have a strong password policy. They led to such requirements as a minimum number of capital and lowercase letters, numerals, and special characters in passwords, and the requirement that they be changed every 90 days.
The results of these policies are now clichéd—users writing down passwords on post-it notes affixed to their monitors, “changing” old passwords by adding a 1, 2, 3, 4, etc. to the end of their previous ones, and spelling out dictionary words in l33t speak like ‘p@$$w0rd.’
Burr told the Wall Street Journal that he wasn’t given access to user data and had to base his recommendations on best practices that had been handed down from a NIST document from the 1980s. It’s not just that the advice was coming from a context that didn’t look much like the post-.com bubble world of 2003. The main problem was that he had no way to temper this received wisdom against the real-world experiences of users.
In 2017, shortly before Burr confessed his remorse to the Wall Street Journal, NIST revised these recommendations, but the problem of “good” password advice is that it usually only focuses on defending you against a single threat—an attacker who has gained access to the password file, and generally ignores the weakest link in any security: the user.
The result is a confusing mix of advice about passwords that gets routinely digested and regurgitated with the same general result as NIST’s 2003 recommendations—a false sense of security based on balancing account security on the complexity of a password alone.
Don’t get us wrong. It’s important to have a complex password. But it’s even more important to consider the problem of passwords more holistically. In this article, we’ll take a look at common passwords advice, why people recommend it, and what it misses.
In the process, we’ll try to do what Burr regrets he couldn’t in 2003—give you some useful information on how to think about your password.
1. Use special characters
Why it’s recommended
Most approaches to password security rely heavily on the concept of ‘entropy.’ That’s a big word but the theory is pretty simple—entropy is a way to measure how unpredictable a password is. More unpredictability means it takes longer for someone who’s gotten ahold of a password file to crack yours. Entropy is based on what characters you use and what the length of the password is.
A password’s entropy can be found by finding the entropy per character. If you’re interested in the math, a character’s entropy is a
log base 2 of the number of characters in the character set used, multiple by the number of characters in the password.
If that sounds too complicated for you, don’t worry about wrapping your head around it. What’s important about this is the theory behind it and the recommendations that come from it.
Combinations of 8-character password
|Character set||Number of characters||Number of combinations|
|Dictionary words||N/A||600,000 combinations|
|0-9||10 characters||100,000,000 combinations|
|a-z||26 characters||208,827,064,576 combinations|
|A-Z, a-z||52 characters||53,459,728,531,456 combinations|
|A-Z, a-z, 0-9||62 characters||218,340,105,584,896 combinations|
|All allowed printable characters||72 characters||1,853,020,188,851,840 combinations|
The chart above gives you the jist of the idea of entropy. Using larger character sets yields more possible combinations, which means the more combinations an attacker theoretically has to try to crack your password.
What this misses
The calculation of entropy for an 8-character password presumes that passwords would be random and so including any special characters along with numbers, upper and lowercase letters leaves attackers searching for a needle in a haystack.
The truth is that human behavior is not random.
The password ‘P@$Sw0rD’ and the password ‘Q)%Fk6xF’ both just one of 1,853,020,188,851,840 8-character combinations of all allowable printable characters. But ‘P@$Sw0rD’ is way more likely to be someone’s real password than ‘Q)%Fk6xF’. Why? Good luck memorizing ‘Q)%Fk6xF.’ Theoretically, you could create a mnemonic device, write a song, if you really had to you could remember that password, but chances are you probably don’t have the time to do it.
And that’s why passwords like ‘P@$Sw0rD’ are common when you focus exclusively on the complexity of your password. And what’s worse, because ‘P@$Sw0rD’ is a variation of one of the all-time most popular passwords—’password’—attackers are far more likely to try guessing ‘P@$Sw0rD’ first.
‘Q)%Fk6xF’ is a secure password, but it’s hard to remember. If it’s for a work account that might not be super important to you but might be very important to your boss, then maybe you’d be tempted to just write it on a piece of paper and leave it sitting around your desk. That doesn’t really give you much security either.
In other words, applying a “complexity” requirement to your password, doesn’t really do you any good if
- The password is itself just a variation of an easily crackable password and
- You can’t remember it!
If you can, by all means, use special characters, numbers, upper and lower case letters in your password. But don’t resort to tricks like l33t speak passwords that replace O for 0, A for @ or 4, etc. This just gives you the illusion of security without giving you any real security.
Furthermore, don’t pick a password you can’t remember! All the complexity in the world doesn’t help if you either have to write down your password or you have to reset it every time you go into your account.
What about password vaults?
A password vault is an application that lets you generate and store complex, totally random passwords for several accounts. We recommend using one! Some browsers now essentially have this feature built in.
This is the best way to have many, high entropy passwords that you can access easily and don’t have to reset everytime you log in.
But be careful about storing passwords. A password vault—like an email address—is a single point of failure. Password vault companies put a lot of resources into ensuring their passwords are stored securely, but leaks can still happen! Maybe it works best for you to put all of your eggs in one basket, but in that case, just remember—all of your eggs are in one basket.
2. Make a long password
Why it’s recommended
Another way to increase the entropy of your password is to extend its length, and so increasing your password length is another common piece of advice you’ll find.
Possible combinations for a 10-character password
|Character set||Number of characters||Number of combinations|
|0-9||10 characters||10,000,000,000 combinations|
|a-z||26 characters||141,167,095,653,376 combinations|
|A-Z, a-z||52 characters||~144,555,105,949,057,000 combinations|
|A-Z, a-z, 0-9||62 characters||~839,299,365,868,340,200 combinations|
|All allowed printable characters||72 characters||~3,743,906,242,624,487,000 combinations|
You can see that just adding two more characters to our 8-character password above yields many more combinations. A 20-character password made up of a combination of all 72 printable characters would be one of ~14,016,833,953,562,610,000,000,000,000,000,000,000 combinations.
Of course, the same critique as above still applies—it’s not that useful if you can’t actually remember it.
Basically, though, the longer and more complex your password is, the higher entropy it has, and the longer it will take for password cracking software to successfully brute force it and crack your password.
What this misses
But all that’s assuming:
- The attacker has access to the password file
- The account provider has properly hashed it
- The account provider has salted the encrypted passwords
Let’s break this down.
First, an attacker has to have access to the password file. To do that, they have to compromise the system that the password file is stored on through some kind of attack.
Next, if the account provider hasn’t properly hashed the password file, that means it’s just stored in plaintext or clear text.
Last year, for example, Facebook was found to have been storing at least some passwords in plaintext (i.e. not hashed). If an attacker had gained access to this file, it wouldn’t matter how long or complex of a password you created, there’d be only one option—change your password as quickly as possible.
Hashing is a specific process of scrambling a password using a particular algorithm so that if the password file is compromised, the password itself isn’t leaked.
But hashing can also impact how much safer adding those extra characters to your password actually makes it.
One popular hashing function is called bcrypt. It’s particularly resistant to brute-force attacks, so it slows down how long attackers need to crack your password. However, it also puts an upper limit on your password’s entropy.
Specifically, the limit is 50-72 bytes and beyond that, your password is truncated, meaning that a password that’s 72 characters long will be hashed by bcrypt the same as if it were 73, 84, or 104 characters long.
Finally, the hashed passwords need to be salted.
The existence of tables of precomputed hash functions—called “rainbow tables”—means that hashing alone is not enough.
That’s why salting is required. With salting, a website adds an additional random character string into the hashed password to disrupt efforts to crack the hash.
And all of this is premised on the idea of making it harder to crack your password if a password file is compromised. That means if it’s been compromised, it still isn’t safe. Don’t keep using a password that was stored in a password file that leaked!
You can have the longest, most complex password ever created, but it won’t matter if the website you use it for doesn’t hash and salt its passwords. And even then, depending on the hashing algorithm your provider uses, there might be limits to how long it can actually be.
And don’t use a password that’s already been leaked!
Sites like Have I been pwned [ https://haveibeenpwned.com/ ] can help you tell if your password has been compromised.
However, if no breach has occurred, changing your password will just mean setting passwords you can’t remember, and having to reset your password every time you log in is not more secure than a password you can remember.
Which bring us to our next point:
3. Pick a memorable password
Why it’s recommended
This starts to take into account the user experience of having a password-protected account. The focus on password complexity has led to recommendations that ignore one of the most important aspects for users—that they be able to remember their passwords.
Research shows the average user spends 12 minutes a week or 11 hours per year entering or resetting their password. Multiply that across all employees in a work environment and the cost can really add up.
It’s possible to create a password with significant entropy, though, without making it so strange that you need a mnemonic device to remember it.
Try mashing up three unrelated words that are each more than five letters long—’FaithfulHighwayPrinter’ for example. You only need to remember these three words—the wackier the better—but a password cracker would have to perform millions of guesses to get it right. A password like ‘p@$$w0rd1!’ would be relatively difficult to remember, though, but extremely easy for a password cracker to guess.
You can use something called Diceware to generate a truly random set of words.
With Diceware, you roll a dice five times (or five die once), to generate a single word, that you can find from a Diceware list, that provides a list of random words that are easy to remember.
If that’s not secure enough for you, researchers have developed techniques sometimes called ‘mindhashes’ to help you develop your own human algorithms for creating passwords that cannot be backwards engineered.
For example—let’s take our 3-word password from above—’FaithfulHighwayPrinter’. Now pick a “wildcard” letter—we’ll say z. And finally, a capital letter, number, symbol combination. That’s your “special string.” We’ll go with $O2.
To generate a password with this, you use the name of the website you’re generating the password for. Then, you find each letter in that website’s name within your 3-word password and choose the next consonant after it. If a letter isn’t in your three words, put the wildcard. Then add your special string.
Using what we selected above, for a Gandi account, we would generate this password:
g > FaithfulHighwayPrinter > FaithfulHighwayPrinter > h
a > FaithfulHighwayPrinter > FaithfulHighwayPrinter > t
n > FaithfulHighwayPrinter > FaithfulHighwayPrinter > t
d > FaithfulHighwayPrinter > (letter not present, wildcard) -> z
i > FaithfulHighwayPrinter > FaithfulHighwayPrinter > t
Plus our hash and we get: httzt$O2.
While this isn’t easier to remember, you don’t need to remember it, you just need to compute it. Studies have shown that after a learning curve users have found it increasingly easy to use such a “mindhash”.
What this misses
Again, what this comes down to is actual users’ behavior. Researchers have found that in the wild, people tend to choose passphrases (another word for a password generated in this way), that are stock phrases, like “three dog night,” or “luck of the draw,” or even sports teams names.
Furthermore, a password cracker can be trained to seek out word combinations, making these passphrases only moderately more secure than just a single random word from the dictionary.
As for “mindhashes,” the idea is intriguing, but it’s complicated to understand and tedious to perform. When users still choose passwords like “12345,” can we really expect them to prefer learning a “mindhash” to generating a random password?
The point is, passwords are made memorable by being based on a pattern. People re-use passwords, they add digits to them, they share them across accounts, or share them with other people. This isn’t people behaving badly, it’s people behaving like people.
Don’t rely on a password alone
Passwords have always been imperfect. They were invented in the 1960s to keep computer engineers from playing pranks on each other and almost immediately the pranksters found out how to steal the password files.
Even then, they were not conceived of as a way to provide security on a complex network full of strangers like the internet.
As with NIST’s 2003 recommendations that engineer Bill Burr so regrets having formulated, password security often focuses on the need for a strong password—a long, complex code that’s hard to crack and easy to remember. But that only addresses one possible avenue of attack to get access to your account and ignores human nature.
Passwords are also a weak spot to gain entry to your online accounts through plenty of other attack vectors. You might get tricked into handing over your extremely long, complex, yet easily memorable password by a phishing email that pretends to be someone you trust, or a keytracker could get installed on your computer when you inadvertently download and install malware. Someone could even be getting your password by listening in on an unencrypted connection to a website server.
Again, the responsibility also falls somewhat on the account provider. Passwords that have already been leaked—even if they have high entropy—should not be used. You can avoid that by not reusing leaked passwords and reduce the risk of getting multiple accounts compromised by limiting the number of passwords that are shared.
The bottomline is—your password should not be your only line of defense for sensitive accounts.
Two security features we’ve discussed before are a couple of two-factor authentication methods—timed one-time password authentication (TOTP) and universal two-factor authentication (U2F). Two-factor authentication options like timed one-time password authentication and one-time passwords sent by text or email are crucial for providing security to valuable assets. Hardware options that use U2F are an even safer option.
Passwords are a security solution designed for a context that most people would find totally unlike the context they currently use them for.
But so are other frequently used authentication systems like credit cards, ATM PINs, Driver’s License numbers, and social security numbers. The entropy of any of these commonly used authentication codes is extremely low. The security of these systems doesn’t rely on strong passwords—a 4-digit PIN could be easily cracked—but relies as much on careful and persistent fraud detection as on new technology.
While you can ascribe to a particular set of recommendations, but the future of passwords is beyond just passwords, with additional authentication factors like TOTP, U2F, single sign-on, and biometrics, but also with smarter approaches by those who provide accounts to keep user data safe and accessible and detect fraudulent attempts at account compromise.