Since computer passwords first came into existence in the 1960s, they’ve had a reputation for being insecure and easily hacked, says Creighton University’s Dustin Ormond, PhD.
This may be partially true because, ironically, “the MIT researchers who pioneered the passwords didn't really care much about security,” Robert McMillan wrote in Wired.
Fast forward to 2003, when the National Institute of Standards and Technology issued guidelines that urged complex passwords, containing a combination of lowercase and uppercase letters, numbers, and symbols, as well as requirements to frequently change passwords.
The results, Ormond says, have been less than stellar.
He says we can do better – and we need to do it now.
“This is a call to individuals and organizations alike to completely readjust their thinking regarding passwords,” says Ormond, an assistant professor in the Business Intelligence and Analytics master’s degree program in Creighton’s Heider College of Business.
Longer is better
During a recent password audit, it was found that one user had created the following password:
When asked why such a long password, the user said he was told that it had to be at least eight characters long and include at least one capital.
Ormond says that while this is a light-hearted example of a password requirement being taken somewhat too literally, it’s actually the right idea. When it comes to creating a new password, focus on increasing its length rather than its complexity, he says.
Let’s look at the math behind that statement.
With a six-character password comprising only uppercase or lowercase letters, the number of possible password combinations is more than 19.7 billion (19,770,609,664, to be exact).
However, adding one more character to increase the length to seven characters results in over 1 trillion password combinations—1,028,071,702,528. Compare that to the possibilities of a six-character password with complex characters added in, which results in about 262 billion combinations (262,144,000,000).
So, it’s clear that complexity increases the number of combinations, but not nearly as much as adding additional characters, Ormond offers. Additionally, he says, complex passwords are much more difficult for users to remember.
Cracking the case
In Ormond’s cybersecurity course in Creighton University’s Business Intelligence and Analytics program, students register for his website using any password they want. Prior to storing the passwords, he encrypts each one, making it “virtually impossible for me to reverse-engineer the original passwords.”
However, many passwords can be cracked by running them through brute-force or dictionary attacks, he says, which basically pass a bunch of different passwords through the same algorithm.
To illustrate how quickly this can be done, Ormond tests each student’s password against 30 billion different password combinations in an hour.
Some passwords that he’s cracked include Mad3l3ine, 0pensesame, Shadow034, Baller123, and Hello123!. Ormond says these passwords tend to follow the same poor practices:
1. Dictionary words or phrases
2. Well-known character substitutions
3. Numbers at the beginning or end
4. Capitalization at the beginning.
Current password practices aren’t helping
Maintaining hundreds of passwords for various apps and websites has become a daunting and time-consuming task—one that’s made more difficult by inconsistent implementation of complex passwords, Ormond says.
For example, some applications allow all characters while others are more restrictive (i.e. blocking special characters such as &%#@+_). Some require a specific number of characters.
“This can result in questioning which password you used for each site,” Ormond says. “Was it a ‘+’ or ‘t,’ or was it an ‘@’ or ‘a’?
Company policies requiring users to regularly change passwords just make matters worse, Ormond says. As Wired’s Brian Barrett points out, users often make small transformations to their passwords, including increasing or decreasing a number in the password, changing a letter to a symbol, switching the order of digits or characters, or eliminating characters.
Often, these practices result in diminished security because people who are forced to change their passwords “don’t put a whole lot of mental muscle behind it,” Barrett reports.
What to do?
Despite all these issues, the time to engage in more secure password practices is now, Ormond urges. His recommendations:
What individual users should do
1. Visit this site and check if your password has ever been found in the compromised dataset of over 500 million passwords. If it shows up just once, change it immediately.
2. Reach out to your organization and encourage them to discontinue poor password practices.
3. Use passphrases that either combine several words together or use the first character of each word as the password. Don’t use phrases that are commonly used together (e.g. song lyrics, clichés).
4. Use a password manager such as LastPass, 1password, or Dashlane to manage your passwords.
What organizations should do
1. Allow users to use any characters in their password but increase the length requirement to a minimum of 12-16 characters.
2. Require users to change their passwords only if something warrants the change (e.g. the recent Twitter bug).
3. Remove password hints. Users use hints that are very close to their passwords. Rather, allow the user to reset the password.
4. Remove knowledge-based authentication (i.e. What is your mother’s maiden name?) as many of the answers to these questions can be found on the internet.