Challenging password dogma
Passwords should be the easiest area of security. Every organisation has a password policy. Every organisation used passwords. Everyone at every organisation uses passwords. Everyone has been trained how to do it. And everyone has been doing it for a very long time.
And they are doing it all wrong.
Password best practice advice is generic, well accepted, and often repeated dogma. But is it right?
In a search for the most common password recommendations, I asked ChatGPT for its password advice. ChatGPT - like all large language models (LLMs) - is a great way of discovering established norms as it takes existing knowledge and attempts to predict the most likely, but not necessarily the best, output. This means that regardless of whether the established norms are right or wrong, an LLM is a great way to find out what they are.
As expected, the model generated this very predictable list of advice:
“1. Length & Complexity: A strong password should be at least 12 characters long, include numbers, symbols, capital letters, and lower-case letters.
2. Avoid Common Words: Don't use dictionary words, your own personal information, or common phrases as your password. They're too easy to guess.
3. Unique Passwords: Don't use the same password for multiple accounts. If one account gets compromised, all of them are at risk.
4. Regular Updates: Change your passwords every 3 to 6 months and avoid reusing old passwords.
5. Two-Factor Authentication: Whenever possible, enable two-factor authentication. It adds an extra layer of security by requiring a second step after entering your password.
6. Password Managers: Consider using a password manager. These tools generate, store, and automatically fill in complex passwords for you.”
Unfortunately, much of this is simply false. But which of these common recommendations are actually bad password practices?
Let’s take the easy ones first.
Number 3, to use unique passwords, is unquestionably sound advice for account security. A large number of passwords are compromised and easy to find either online or on the dark web. Many are built into password cracking tools, and many more reused passwords are simply very predicable once you know a little bit about the individual - favourite football teams, kids names - the sort of thing you could find on social media. So using the same passwords for multiple websites or applications is a bad plan for two reasons: Firstly, if compromised on one application it is compromised everywhere; and secondly, because reliance on generic passwords leads to poor password choice.
At mumber 5, MFA is also good advice. This is not about your choice of password or how you secure it, but rather about not relying on as password as the sole means of authentication. It is impossible to guarantee the security of a password as you are dependent on the user, the organisation, and the application or service, to ensure it’s security. 'Multi-factor authentication (MFA, also known as ‘two factor authentication’ or ‘two step verification’ uses your password plus something else to confirm who you are.
In addition to the password - something you know, and therefore something others can know - MFA also asks you for something you are (such as a fingerprint or iris scan), or something you have (such as number from a mobile phone authenticator app, or a physical key such as a YubiKey. This is much harder for the attacker - knowing your password is not enough. Whilst nothing is completely foolproof, MFA will reduce your risk by 99%+ as the cost of the attack is rarely justified. For most applications that is more than sufficient.
Not using MFA on the other hand places the account at great risk, as even unique passwords can be guessed, or hacked. There are some reservations - MFA that relies on SMS messages is better than nothing but insecure and easily hacked, and nothing can protect you if you respond to a criminal’s verification request with a ‘yes’. But still, I’ll happily take that 99%. MFA should be compulsory for every account and every network or application.
Finally, number 6 - to use a password manager - is also excellent advice. Most people have many passwords, often 300 or so. I have more than 600. It is impossible to set good passwords for these and remember them all, so it is essential to write them down. A good password manager will keep all your passwords secure whilst entering them automatically for you when needed.
You still need to look after the master password for the vault, but now you only have to remember one password rather than hundreds, and you can make sure that one uses good MFA. It’s still possible for a password manager to be breached, and for that reason I do not store my banking password in one. But for everything else, it’s a lot harder to breach than your head.
Often advice is to never write down passwords. this is one that ChatGPT mercifully missed. It’s terrible advice because remembering all these passwords is impossible without choosing really bad passwords and reusing them. So personally, and for organisations, it is best not to say this.
After all, a password in a desk drawer at home requires an attacker to by family, or to break into your house. Most cyber criminals do not live in your home, or in your neighbourhood, and would not want that risk anyway. So if the password to your knitting circle is on a post-it under the keyboard - it might be better in a password manager, but it’s a lot better than in your head.
This leaves numbers 1, 2 and 4.
These are awful practices that can make security worse. The reason for this is simple - good security works with the user, not against them. All of these make life harder for the legitimate user whilst often making it easier for a cyber criminal.
Let’s take them in turn and explain why.
1. Length & Complexity: A strong password should be at least 12 characters long, include numbers, symbols, capital letters, and lower-case letters.
We’re all familar with it. You spend ages thinking of a new password, and after typing it in wrong three times you finally get it right, only to receive a warning that your password ‘does not meet complexity requirements’. This is because passwords were being cracked or guessed, it was felt that increasing entropy by increasing the number of characters you could use from 26 letters to including uppercase letters, numbers and non-standard characters would make it harder for attackers.
That might be true if we were all robots. Unfortunately, the geniuses who came up with this forgot about the human. Because what everyone did was replace the first letter that looked like a number with a number, then add a non standard character on the end. Then make the first letter a capital. Why? Because we have to remember them, silly! Who can remember d%$vN6? Nobody. Who can remember D0nut$? Everyone.
The search for entropy (the degree of randomness, or essentially how long it takes to guess with no information) was a good one. But the solution was an absolutely awful one. So all these passwords were bad. If we didn’t have to have D0nut$, we might have had RatSlideProductiveDrain. The entropy in that is much higher, and it’s easier to remember than d%$vN6, too.
We’ll come back to that in a moment.
2. Avoid Common Words: Don't use dictionary words, your own personal information, or common phrases as your password. They're too easy to guess.
Security guidance has recommended against using common dictionary words since at least the 1960s. The reason was simple: a ‘dictionary attack’ is a form of brute force attack that cycles through each word in the dictionary until it finds yours. So if your password is ‘god’ like the bad guy in the movie Hackers, it won’t take long to crack it.
However technology has moved on. It is now very standard for access attempts to be rate limited (restricting the speed of access attempts to that expected by a human) and very standard to lock accounts after a certain number of access attempts - usually 3 or 5. This means the attacker will lock themselves out, and lock the legitimate user out alerting them to the attack, long before they gain access. This means that in most circumstances dictionary attacks are useless (the exception would be where the attacker already has the database of users and has all the time in the world to decrypt it - but that’s a different story altogether).
Dictionary words are however useful to a legitimate user, because these are the words we use every day. We’re all going to use words to make our passwords. Obviously some words are bad. Such as ‘password’. but making your password ‘Password1’ won’t help, it’s just as easily guessed. So feel free to use dictionary words. Just combine them.
UK NCSC actually recommends ‘three random words’. They key here is that 1) because there are three of them the passwords it not too short to be useful, and 2) because they are random, they can’t really be guessed. Now nothing is every truly random, but if the words have no personal connection with you they are no use to an attacker. On the other hand, ‘AlienTurtleCabbage’ is easy to remember, right? If it feels better to add a number or something, it will still make it more secure - but not by a lot. This is a pretty good password.
4. Regular Updates: Change your passwords every 3 to 6 months and avoid reusing old passwords.
This may be the worst password advice of all time, responsible for huge breaches and catastrophic security failures. Why? It’s simple. Nobody can remember lots of passwords, and changing them is painful. So most people quite rationally seek to avoid the pain by choosing very predictable passwords.
For example if you have to change your password every 3 months, the seasons. monthly, the month. Annually, a word that means something to you and add a digit on the end. When you forget it every few months, your latest sports hero or the megastar of the moment. These are of course all incredibly obvious to an attacker, but painful for the user.
And it gets worse.
Security people realised everyone was cutting corners and that was putting systems at risk, so they introduced new rules. To stop people resetting their password and instantly resetting it again to the one the remember, or cycling through the same set of passwords, restrictions were commonly introduced to prevent passwords being changed within 24 hours, and to remember previous passwords so they couldn’t be used again. These sensible sounding rules just made it even harder for users. The result of course was that passwords tended to follow simple patterns, or be written down - often in a file on the computer they were meant to secure.
Regular updates make your password less secure, not more secure. The practice clings on like a weed, embedded in many supplier assurance checklists, audit checklists, and regulatory statements. Ignore it, then explain why it is wrong. If you need some help demonstrating why this is daft, here’s NCSC being helpful again.
When might you want passwords to expire? If you believe your account is compromised you should always change your passwords. And if you have bad controls elsewhere in your organisation, perhaps if you are bad at removing users who have left, or have a culture of password sharing, occasional resets may still make sense (though a better control for leavers might be to disable dormant accounts, and a better control for sharing would be culture and IT process change).
All in all, this common advice is a bit problem. Dogmatic adherence to the solutions of the past against the weight of evidence is not a good basis for decision making. So don’t do it. Set rules that make sense and keep you secure, without making it painful for people to work.
So what does a good password policy look like?
In short, it would put defence before dogma - even if that challenges the expectations of colleagues, customers or regulators.
We’d need to consider both our user guidance, which is often communicated in an acceptable use policy or password policy, and our IT policy which users do not need to know but internal support teams do need to follow.
My recommended user guidance, which we will keep as simple as possible:
Set unique passwords
Set a password that is easy for you to remember, but hard for an attacker to guess. Good advice is to follow ‘three random words’ and maybe change it up a bit with special characters or numbers if you wish.
Don’t share passwords, even if you are asked to or it appears to be urgent.
Tell IT if you think your password is compromised.
Use the company provided password manager if you need to record passwords.
Never use any website or service for work that does not have multi-factor authentication (MFA).
Provide advice on common password practices to avoid, such as using pet names, family names, or hobbies.
Operate a no blame culture when something goes wrong, so users feel they can tell you if they make a mistake.
My recommended IT policy rules, to support this:
Enforce a minimum password length of 12 characters, so users cant select passwords too short to be effective.
Have a minimum password age of a day (so they if their password has to be changed, they cannot reset instantly to a known compromised password they like).
Preventing recently used passwords from being reused is still a good idea, as they could have been changed because they were compromised.
Do not allow common words such as the company name or the user’s name to be used.
Provide a corporate password vault. It doesn’t have to be costly - off the shelf software such as 1password, bitwarden or dashlane can can be procured and enabled in web browsers and on desktops for effective password management of business passwords. This also means IT can help the user if they lose their master password, and remove their access when they leave. Once this is done, lock down web browsers so they do not offer to remember passwords for users. There is really no guarantee these are secure.
If you feel the need, you can require one character that is not a standard lower case letter, such as a capital letter, number or special character - but never all three.
Do not automatically expire passwords. If your other controls over users are very poor (such as a poor leavers process) you might expire them no more than once per year. Even then, it would be better to improve the other controls.
Prevent your IT teams from sharing passwords or requesting user passwords under any circumstances. You will be told this is necessary for IT support, but this is not true. In the very rare circumstances the IT admin really does need access to a user’s account, they can reset the user’s password to a single user password, do what they need to do, and then have the user pick a new one. But usually they should use their admin accounts, which will be separately secured. If they object and you need a break glass on this, require a very high level of approval. If you ever get a request, you can sent them back to fix the process that made it necessary. I can’t stress the importance of this enough - if It teams ask users to use bad practices,
Require MFA on all accounts where a user needs to log in. Make it a procurement requirement for all new systems, online services, and applications. If an existing application or service does not support MFA, decommission it. To make sure it is decommissioned, have a policy of essential changes only and maintain a list which is monitored regularly by a senior committee until every system follows policy. In most cases, IT teams will be able to implement ‘single sign on’ so users don’t have to use a password at all. But this is not a fun or exciting project, so encouragement is often required. If possible, choose systems which do not use SMS based authentication.
One day, passwords will be redundant. Other solutions, such as passkeys are slowly gaining in popularity. But these have their issues too. For now, the best thing to do is have a password policy that works with your team, not against them.
That is always the most secure solution.