In the previous posts of this series, it has been described why in general most passwords are insecure, why everybody created insecure passwords for more than 15 years despite their best intentions, and how hackers are quickly cracking these passwords. This article will examine some more modern bad password habits, and explain why - despite all evidence - they are still popular among IT departments and enforced on users.
Human-generated passwords are BAD, get over it
It has been explained in detail but it is always overlooked, be it for laziness or excess of confidence, or just plain ignorance: human-generated passwords are bad because they are predictable. This happens because they are composed of characters that are not independently and identically distributed (IID).
A collection of random variables is independent and identically distributed if each random variable has the same probability distribution as the others and all are mutually independent.
But words are the exact opposite, as they have strict spelling rules which establish a correlation between all characters. Even worse, nature is playing against randomness just because users are human beings typing on a keyboard.
Recent studies have demonstrated that, when writing, users seem to prefer certain words depending on the number of letters they feature from the right-hand side of the keyboard. Even randomly chosen letters are not IID, as it's been proven they tend to be towards the center of the keyboard. In short, humans are very bad at generating randomness, and this - must be acknowledged - was exposed by Bill Burr, as he chose this assumption as the starting point of his work when drafting the infamous NIST recommendations.
Some "modern" recommendations are also wrong
Once acknowledged that the NIST recommendations are not generating any robust password, some other recent guidelines that are commonly offered shall come under scrutiny:
"Build random passwords based on initials of a familiar phrase".
That would mean choosing a phrase to have some kind of mnemonic aid, for instance, "first operate common key externally recognizable" or "lorem ipsum dolor sit amet", then pick each initial to obtain a baseline and apply NIST substitutions (e.g. f0ck3r and L1dS4).
This method might help to obtain a little more IID collection, but the results still show several shortcomings even by a cursory inspection:
- still too short
- still based on character substitution, which is ineffective
- still very easy to crack for a computer
proving that this method is not better than "scramble words with substitutions" in any way.
They force you to change your password every 30 days. They're wrong.
Another timeless classic IT cliché that every office has to endure is the request to periodically change the password. The timeframe may vary between "really paranoid" to "mildly annoying", but sooner or later a pop-up message will appear on the screen to remind you that your password will expire.
It is very unclear why a password - a bundle of bits - should rot and turn bad like sour milk, but there is a historical reason that helps understanding its rationale: after acknowledging that password files can and will be stolen, system administrators craving for security turned their attention at what hackers were doing to attack them, and found out that cracking password requires time: if all users changed their password frequently enough, hackers would not be able to break and use them before they turned into digital garbage, and security would be safe again!
Even the infamous NIST guidelines recommended changing passwords regularly, at least every 90 days. This advice ended up baked into many standards that businesses needed to follow.
That however was just another mistake, which caused its fair share of problems.
With time, it's been demonstrated that users who are forced to regularly update passwords will only introduce minimal changes between each iteration: one letter, one number, one special character - whatever meets the minimum requirement set by the IT policy to make the new password accepted by the system. Users are lazy, and this behavior - in hindsight - was entirely predictable.
This malpractice exposes passwords to inference attacks, making it easier for an attacker to guess the keyword by exploiting similarities between iterations, which results across time in weakening all passwords even if encryption is applied.
And finally, there is the human factor: forcing users to change passwords also makes them more susceptible to being forgotten.
The downsides of forcing this change on users - a habit which is still very popular despite having been proven detrimental - vastly exceed any potential benefit, especially considering that a determined and well structure attack will break the vast majority of passwords encryption before they get changed anyway. In other words, a password should only be changed if suspected to be compromised.
Despite all that, it is still common practice for many Information Technology departments to enforce a "password change" policy with a timed expiration, which ends up creating a sense of false security while at the same time posing a burden on users and inadvertently setting the premises to have them choose even weaker, less secure passwords.
(to be continued)
Congratulations @lucabarbera! You have completed the following achievement on the Hive blockchain and have been rewarded with new badge(s) :
You can view your badges on your board and compare yourself to others in the Ranking
If you no longer want to receive notifications, reply to this comment with the word
STOPYeah, You are right.
However, it is also good to have unexpected email, which we dont use to correspondence.
True, even though unrelated with passwords.
That's what services like https://www.guerrillamail.com/ and https://www.emailondeck.com/ are for.
Hello friend, I think it's an interesting topic, it's important data that you give us, as you say human beings are very predictable. Thanks for sharing it.
Hello @lucabarbera
Interesting and well explained what you propose.
We could practically say that creating a password is an art.
It is indeed and, like many crafts related to application of math and algebra in information technology, it is subject to critical errors when guidelines, best practices and tested knowledge are ignored. Just like cryptography, no one should invent Yet Another Algorithm because the good ones have been validated by decades of robust application. Password management is subject to the same rules.
Your post has been voted as a part of Encouragement program. Keep up the good work!
Try https://ecency.com and Earn Points in every action (being online, posting, commenting, reblog, vote and more).
Boost your earnings, double reward, double fun! 😉
Support Ecency, in our mission:
Ecency: https://ecency.com/proposals/141
Hivesigner: Vote for Proposal
Good article, one of the things that surprised me the most about HIVE is that you can't recover passwords, that gives you an extra security advantage since most attacks and identity theft come from being able to recover passwords.
Very true. It is also forcing users to the good habit of properly handling passwords, for example with a password manager.
Upvoted 👌 (Mana: 0/78) Liquid rewards.