Why You Should Ignore Everything That You Have Been Told About Passwords

How many times have we all heard the following recommendations repeated by “experts” in school, at work, or on television?

Use complicated passwords that contain both uppercase and lowercase letters, as well as numbers and special characters.

Change all of your passwords often.

Use a unique password on every website.

Be especially vigilant in protecting your most sensitive passwords — which are those to any online banking systems that you use.

For most of us, the answer is that we have heard the aforementioned advice so often, that, by now, we have lost count as to how many times we have heard it.

Yet, it is wrong.

Here is why:

1. The human mind cannot remember many complex passwords, and, as such, using complex passwords leads to security risks.

Using long, complex passwords on a small number of sensitive sites might be a good idea, but employing such a scheme for any significant number of passwords is likely to lead to potentially serious problems: people inappropriately reusing passwords, writing down passwords in insecure locations, and selecting passwords with poor randomization and formatted using predictable patterns (e.g., following the common practice of using a capital for the first letter of a complicated password, followed by all lowercase characters, and then a number) — any of which can obviously undermine security.

A better approach than telling people to always use complex passwords is to accept the reality that human minds are limited, and, to, therefore, advise folks to classify the systems to which they need to secure access. The government does not protect its unclassified systems the same way that it secures its top-secret information and infrastructure, and neither should you. Informally, classify the systems that you access, and establish your own informal password policies accordingly. On the basis of risk levels, feel free to employ different password strategies: Random passwords, passwords composed of multiple words possibly separated with numbers, passphrases (long passwords of 25 or more characters — sometimes full sentences), and even simple passwords each have their appropriate uses. Of course, multifactor authentication can, and should, help augment security when it is both appropriate and available.

According to The Wall Street Journal, Bill Burr, the author of NIST Special Publication 800-63 Appendix A (which discusses password complexity requirements), recently admitted that password complexity has failed in practice, and that passphrases (and not complex passwords) should ideally be used for authentication.

2. Using the same password for multiple accounts is sometimes preferable to alternatives.

While it is true that passwords to sensitive sites should not be reused on other sites, it is perfectly acceptable to reuse passwords to sites where the security is of no concern to the user; for many people, such “unimportant password” sites make up a significant percentage of the sites for which they have passwords. There is no reason to use a strong password, for example, on sites that require users to establish “accounts” solely in order to track users for marketing purposes; one might even argue that there is also no reason to use a strong password on sites that use accounts solely to ensure that comments posted to the site are attributable to their authors. Often the information that users provide to these sites includes no more than a (real or fake) name, email address, and password. Especially if one uses a separate email address for these types of purposes, it it truly of concern to him or her if a criminal who breached one such account gained access to the others? (While such information could be leveraged for social-engineering-type attacks, that information likely can already be garnered from social media sites and publicly-available, online databases, etc.)

Instead of creating a plethora of new passwords, it may be wise, once again, to accept human limitations; if using the same password or similar passwords on “no need to secure my information” sites allows a person to create and remember stronger passwords for use on sites on which his or her security truly matters, doing so may be significantly preferable to the often-repeated non-reuse approach.

3. Your email and social media passwords may be significantly more sensitive than your online banking password.

People tend to believe that their online banking and other financial-system passwords are the most sensitive among their many passwords, but, in many cases, they may be incorrect. Because many online systems allow people to reset their passwords after validating users’ identities through email messages sent to the users’ previously-known email addresses, a criminal who gains access to someone’s email account may be able to do a lot more than just read email without authorization: he or she may be able to reset that user’s passwords to many systems, including to some financial institutions. Likewise, social-media-based authentication capabilities — especially those provided by Facebook and Twitter — are used by many sites, so a compromised password on either social media platform could lead to unauthorized parties gaining access to multiple systems. So use strong passwords on these sites, and, of course, turn on multi-factor authentication on social media platforms when available.

4. People need to provide passwords over the phone, so telling them never to do so is not an effective way to protect them.

On its website, the United States Federal Trade Commission (FTC) recommends:

Don’t share passwords on the phone, in texts, or by email. Legitimate companies will not send you messages asking for your password.

Of course, such advice would make sense if legitimate businesses never asked people to authenticate themselves by providing their passwords over the phone, but some businesses do request passwords in such a fashion on a regular basis. Better advice might be not that people should never provide a password over the phone, but that they should provide sensitive or secret information over the phone only if they initiated contact with the party requesting it. It is far less risky, for example, to provide an account’s phone-access password to a representative if one calls his or her bank using the number printed on the back of his or her ATM card, than if someone calls him or her purporting to be a bank representative and demands the same private information.

5. Changing passwords too often may harm security instead of improving it.

On its website, the American Association of Retired Persons (AARP), which focuses on enhancing enhance the quality of life for people as they age, recommends that folks:

Change critical passwords frequently, possibly every other week.

Consider how many “critical” passwords people living in 2018 likely have. A huge number of folks, for example, have passwords to access their personal email, social media accounts, bank accounts, credit card accounts, mobile device accounts, Google or Apple accounts, work computer, work email, etc., all of which can be classified as “critical.” Even with just five such accounts — and most people alive today likely have significantly more than that number — changing passwords every two weeks would necessitate that a person learn a staggering 130 new passwords every year! It is not difficult to imagine that such a scenario will likely lead to passwords being reused, modified only in part (e.g., the password following josephsteinberg1 becomes josephsteinberg2), or written down. Of course, following the AARP’s advice might also lead to people getting locked out of accounts after multiple failed password attempts during which they enter expired passwords — the frustration of which may also ultimately cause them to even further undermine security with weaker, and more frequently-reused, passwords.

Obviously, passwords should be changed if they have truly been put at risk by a breach or the like, but, otherwise, changing passwords frequently may actually compromise their efficacy as vehicles for authentication.

6. Do not “password panic” after reported breaches — and ignore the “experts” who cry wolf.

It seems like whenever there is a major data breach reported in the news, “experts” quoted all over the media advise people to change all of their passwords. This response to the news of a breach almost seems like a biological reflex — little thought is given, or analysis performed, before a chorus of voices chimes in with the usual recommendations.

But, unless there is a true need, changing many passwords at one time is likely to create security problems similar to (or even worse then) scenarios in which passwords are frequently changed: When people create many new passwords at one time, they face serious limitations of human memory and are more likely than otherwise to write passwords down (bad idea), store them in a computer (which, unless they are properly encrypted and the device secured, is also a bad idea), or use passwords identical to, or similar to, one another on multiple sensitive sites (bad idea).

Also, as I explained after several years ago after the Heartbleed bug — when I suggested that people ignore the advice of “experts” who were recommending that everyone change his or her passwords en masse — if a vulnerability that allows systems to be compromised is publicized, it is important not to change passwords on systems that may still be vulnerable. Once criminals know that there is a serious, widespread vulnerability they are certainly going to attempt to detect and exploit it. So while evildoers may not have actually exploited the vulnerability on any particular system on which you plan to change your password — and your password may still be secure — if after the vulnerability is publicized crooks do breach the system and then you change your password they will likely obtain it. Consider that if criminals stole your old password by exploiting a particular vulnerability that still exists, they can easily steal your new one, and that if your old one was not stolen, changing it may lead to the new one being stolen. As such, changing your password can sometimes increase the risk of its being compromised rather than diminish it.

Furthermore, creating a false sense of urgency without investigating the facts is irresponsible, and puts people at risk when there is a true password emergency. How seriously do you think the multitudes of people who have repeatedly ignored the warnings from the FTC, security “experts,” and the media about the need to change passwords after some particular data breach or set of breaches — and suffered no harm as a result of ignoring such warnings — will take a future warning issued at a time when it is actually necessary to change passwords?

(Note: Password managers have their place, but, the most sensitive of passwords should never be stored in a password manager – they should be committed to memory. Remember, password managers, by their very nature, violate the basic information security principle of never storing passwords in an unhashed format, and, when used for many passwords, password managers effectively put “all of your eggs into a single basket.” Couple those issues with the fact that many password managers have, at times, themselves, been compromised, and the reason to avoid using such managers for highly sensitive passwords becomes obvious.)