Last week, we talked about how users can improve their passwords. However, there’s a reason why we’ve been talking about password security and best practices for some time, but we’re still seeing problems with passwords today. Simply put, good password security is hard.
Password security has always been a tradeoff between what people can remember and what’s difficult for attackers to guess. At the best of times, this was never an easy balance to get right. However, today’s computing environment is making that balance even harder.
While passwords themselves have been in use for millenia in various forms, in computers their usage has been – until recent years – largely been in one form: something typed into a keyboard on a desktop or console. In a setup like that, entering long and secure passwords is perfectly acceptable, as a large keyboard is a good input mechanism for text.
However, in mobile usage (i.e., smartphones and tablets), it’s not nearly as feasible to enter long passwords. Mobile keyboards – physical or virtual – are not as good as desktop ones. Users are far more likely to make errors in a situation like this – encouraging them to use shorter, insecure passwords. As more and more computing is done via these devices, this becomes a serious problem.
There’s also the problem of sheer number of passwords that the typical user has to manage nowadays. Our study earlier found that users have to manage, on average, at least 10 different accounts. That is a lot of accounts to manage without some form of memory aid – whether that’s in the form of software such as password managers (like DirectPass) or some other memory aid. In short, this is why Post-it notes with passwords are so common.
These multitude of passwords are being used in very different environments at work and at home. Enterprise IT practices include such well-worn password practices like mandatory inclusion of special characters or numbers, password changes after some fixed duration of time, and forbidding the user of previous passwords. In isolation, each of these policies can be justified. Taken together, though, all they do is make life miserable for end users – who find a way around these policies anyway. The ultimate goal of password security ends up being subverted anyway. Of course, these weak “work” passwords are still better than what users are using at home.
For consumers, the best advice we can offer is what we said last week on how to create secure passwords. Inconvenient as they may be, passwords exist for a reason. Almost everything done online is protected with a password, making these tempting targets for attackers.
IT administrators, however, can adapt new and “smarter” policies, to reflect modern users and technology. Research has taught us which bits of advice work and which don’t: many traditional tips are in the “don’t work” category, but are quoted as gospel truth anyway. Technology, too, offers solutions: password managers and two-factor authentication offer possible ways to lessen the burden on users and improve security.
However, passwords have to be considered in the context of a broader data protection strategy as well. Stored passwords themselves constitute data that has to be protected. Traditionally, these have been protected by cryptographic hashes like MD5 and SHA-1, but these – even with salts – are proving to be insufficient. New algorithms such as SHA-2 and PBKDF2 should be considered to store passwords securely, if system overhead is not an overwhelming problem.
In short: Password security is a difficult, but not intractable problem.