We have all heard the recommendations: Use complicated passwords. Include numbers and special characters in your passwords. Use upper- and lowercase letters. Use different passwords on every website. Be extra vigilant in protecting your online banking password. Change your passwords often — and certainly after any major data breach.
These pieces of advice have been repeated by “experts” ad nauseam.
But they are wrong.
Here is why:
1. The human mind cannot remember many complex passwords, and, as such, using complex passwords leads to security risks.
Using a long, complex password on a small number of especially sensitive sites might be a good idea, but using such a scheme for any significant number of passwords is likely to lead to problems: people inappropriately reusing passwords, writing down passwords, and choosing passwords with poor randomization and predictable patterns (e.g., the common practice of choosing a capital for the first letter of a complicated password, followed by all lowercase characters, and then a number) — any of which can seriously undermine security.
A far better approach than telling people to use complex passwords is to advise them to classify the systems to which they need to secure access. The government does not protect unclassified systems the same way it does top-secret infrastructure, and neither should you. Informally classify the systems you access and set your own password policies accordingly. On the basis of risk levels, employ different password strategies: Random passwords, passwords composed of multiple words possibly separated with numbers, passphrases (long passwords of 25 or more characters — sometimes full sentences), and even simple passwords each have their place. Of course, multifactor authentication can also augment security when appropriate and available.
According to The Wall Street Journal, Bill Burr, the author of NIST Special Publication 800-63 Appendix A (which discusses password complexity requirements), recently admitted that password complexity has failed in practice, and that passphrases (and not complex passwords) should ideally be used for authentication.
2. Using the same password for multiple accounts is sometimes preferable to alternatives.
While it is true that passwords to sensitive sites should not be reused on other sites, it is perfectly acceptable to reuse passwords to sites where the security is of no concern to the user; for many people, such “unimportant password” sites make up a significant percentage of the sites for which they have passwords. There is no reason to use a strong password, for example, on sites that use accounts solely to track users for marketing purposes; some might argue that there is also no reason to use a strong password on sites that use accounts solely to ensure that comments posted to the site are attributable to their authors. Often the information that users provide to these sites includes no more than a (real or fake) name, email address, and password. Is it truly of concern to users if a criminal who breached one such account gained access to the others? (While such information could be leveraged for social-engineering-type attacks, that information likely can already be ascertained from social media sites, etc.)
Instead of creating many new passwords, accept that people have limited memories; if using the same password or similar passwords on “no need to secure my information” sites allows a person to create and remember stronger passwords to sites that truly matter, doing so may actually be preferable to a non-reuse approach.
3. Your email and social media passwords may be more sensitive than your online banking password.
People tend to believe that their online banking and other financial-system passwords are the most sensitive, but, in many cases, this is incorrect. Because numerous systems address forgotten passwords by allowing passwords to be reset after validating users’ identities through email messages sent to the users’ known email addresses, a criminal who gains access to someone’s email account may be able to reset that user’s passwords to many systems, including those of some financial institutions. Likewise, Facebook and Twitter authentication are used by many sites, so a compromised password on either social media platform could lead to unauthorized parties gaining access to multiple systems. So use strong passwords on these sites, and, of course, turn on multifactor authentication when available.
4. People need to provide passwords over the phone, so telling people not to do so is not an effective way to protect them.
The FTC recommends to people:
Don’t share passwords on the phone, in texts, or by email. Legitimate companies will not send you messages asking for your password.
It would be nice if legitimate businesses never asked people their passwords over the phone, but some do so on a regular basis. The correct advice is not that people should never provide a password over the phone, but that they should provide it only if they initiated contact with the party requesting it.
5. Changing passwords too often may harm security instead of improving it.
The AARP recommends that people:
Change critical passwords frequently, possibly every other week.
Consider how many passwords people have that are “critical.” Most people have passwords to access their email, social media accounts, bank accounts, credit card accounts, wireless accounts, Google or Apple accounts, etc., all of which can be classified as “critical.” Even with just five such accounts — and most people today likely have far more — changing passwords every two weeks would necessitate someone learning 130 new passwords a year! It’s not hard to imagine that such a scenario will lead to passwords being reused, modified only in part (e.g., the password following josephsteinberg1 becomes josephsteinberg2), or written down. Of course, following the AARP’s advice might also lead to people getting locked out of accounts after failed password attempts during which they enter old passwords — the frustration of which may also ultimately cause them to undermine security with weaker, reused passwords.
Passwords should be changed if they have been put at risk by a breach or the like, but changing them frequently may be counterproductive.
6. Don’t “password panic” after reported breaches — and ignore the “experts” who cry wolf.
It seems like whenever there is a major data breach reported in the news, “experts” quoted all over the media advise people to change their passwords. This response to the news of a breach almost seems like a biological reflex — little thought is given or analysis performed before a chorus of voices chimes in with the usual generic security recommendations.
But unless there is a true need, changing many passwords at one time is likely to create security problems similar to when passwords are frequently changed: When people create many new passwords at one time, they face serious limitations of human memory and are more likely than otherwise to write passwords down (bad idea), store them in a computer (which, unless they are properly encrypted and the device secured, is also a bad idea), or use passwords identical to, or similar to, one another on multiple sensitive sites (bad idea).
Also, as I explained after the Heartbleed bug, when I suggested that people ignore the advice of “experts” who were recommending that everyone change his or her passwords en masse, if a vulnerability that allows systems to be compromised is publicized, it is important not to change passwords on systems that may still be vulnerable. Once criminals know that there is a serious, widespread vulnerability they are certainly going to attempt to detect and exploit it. So while evildoers may not have actually exploited the vulnerability in the past — and your password may still be secure — if after the vulnerability is publicized crooks do breach the system and you change your password they will likely obtain it. Consider that if criminals stole your old password by exploiting a particular vulnerability that still exists, they can easily steal your new one, and that if your old one was not stolen, changing it may lead to the new one being stolen. Changing your password can sometimes increase the risk of its being compromised rather than diminish it.
Furthermore, creating a false sense of urgency without investigating the facts is irresponsible, and puts people at risk when there is a real password emergency. How seriously do you think the multitudes of people who have repeatedly ignored the warnings from the FTC, security “experts,” and the media about the need to change passwords — and suffered no harm as a result of ignoring such warnings — will take a future warning when it is actually necessary?