6 Ways Passwords Fail Basic Security Tests
New data shows humans still struggle with password creation and management.
October 28, 2020
Humans are good at some things, like eating too many potato chips or getting annoying songs stuck in their heads. They're not so good at choosing edible wild mushrooms by appearance, for example, nor are they good at choosing strong, safe passwords. Unfortunately, that last item has some serious repercussions in the cybersecurity world.
Security.org's new report on password strategies in the US serves as a painful reminder of just how humans fail at the basic task of choosing (and using) a strong password. Many, if not most, of the issues around passwords can likely be laid at the feet of a pair of human traits: We're fallible, and we're stubborn. Put them together and you have a recipe for a system that we can't use well and are reluctant to change.
One of the ways that humans demonstrate their problems with passwords is in the continuing reluctance to use a password management program. Experts have long said that password managers are key to making computer and network credentials more secure, yet Security.org's research shows that only 12% of users have a password manager as part of their secure authentication routine. Instead they turn to methods only slightly more reliable and secure than teaching passwords to a nearby parrot: 37% depend on their own memory for password storage while 20% go OG with paper notebooks.
Given the high-tech password retrieval systems in use, it's perhaps no wonder that many users choose passwords that are lack sufficient security heft. Based on current research, there are six ways in which users blow the basic task of creating a secure passwords. Or to put it less judgmentally, six ways in which passwords fail to measure up.
How many of these "failures" do your passwords exhibit? Or are you one of the few who use technology to help create and manage strong passwords? We've seen the security.org research -- we'd like to know what you and your organization are doing about passwords. Let us know in the comments section.
(Image: mangpor2004 VIA Adobe Stock)
When it comes to defeating automated password-cracking techniques, longer is - all other things being equal - better. Much longer is much better. How do we know this beyond what "common sense" might say? We know because Claude Shannon made it so it as he mathematically proved perfect secrecy in 1945 with a key the same length as the message itself.
All of this makes many security professionals gnash their teeth over the fact that 45% of users have passwords that are no longer than eight characters. Only about one-fifth (22%) have passwords that are 12 characters long, or longer.
In 2014, security expert Jonathan Lampe published research on a huge store of passwords in which he found that the average password length was just slightly longer than the minimum required by the PCI-DSS standard (eight characters). It doesn't seem that password patterns have changed significantly since then: The minimum length will define the total length of the password for most users.
A straight is a fine hand in poker. It is a lousy strategy for generating a password. According to security.org's findings, "123456" remains the most popular password in the US. This string results in a password that can be cracked instantly, says the organization.
Many organizations now have requirements for passwords that include things like upper and lower case letters, at least one number, and at least one special characters. Despite that, Splashdata and others report that the most commonly used passwords include simple number sequences, and words like "password" and "qwerty."
One simple suggestion for users is to avoid any password that can be typed by running a finger along the keyboard. Another suggestion would be to avoid basic words like "password," "secret," and "admin." When it comes to stronger passwords, a little imagination can go a long way.
While simple passwords are easily cracked, an easily guessable password can provide even easier access for criminals. What constitutes and easy-to-guess password? Home street name, college alma mater, spouse name - anything that attackers could easily know and type in during a human brute-force effort qualify as too obvious.
Other passwords can be easily guessed, too. Recently, a Dutch researcher reported gaining access to Donald Trump's Twitter account by using "maga2020!" as the password. Here's a tip: If you (or your organization) is known for a catch-phrase or slogan, don't use it as a password.
The many personal information breaches of the last few years have made it much easier for attackers to put together lists of possible obvious password components. Users should make the attacker's job harder by avoiding these easily found, and easily guessed, words and phrases.
Newsflash: 2020 is a presidential election year in the US. Oh, and there's a pandemic. So while it's not really surprising, the fact that security.org found 14% of users with "COVID" as a password, 12% with "Trump", and 9% with "Biden" means that cybersecurity attackers may have an easier job than either epidemiologists or political prognosticators this year.
On the one hand, it's understandable that users would turn to words of topical interest for password components, especially in light of policies that require new passwords on a regular basis. The key, when talking with users, is to encourage them to make these topical words part of a much longer, more complex, password if they're going to be used at all.
As an example, "COVID2020" is a terrible password. "2020wasthe&^#$%yearthatCOVIDruinedforeveryone!!" is a decent password. Context matters.
A toothbrush is something that really shouldn't be shared. In cybersecurity, passwords should have toothbrush status, but that doesn't stop the 25% of Americans who report sharing their passwords with others, Security.org's data shows.
Why do people share passwords? Anecdotal evidence suggests that it's often for reasons of convenience: A colleagues account isn't authorized for a task yours is, or you need someone to do one of your tasks while you're busy with something else. In either case, handing over credentials is a very risky way to get a job done.
An old saying goes, "Two can share a secret if one of them is dead." It's a stark way of pointing out that secrets lose the element of secrecy with every additional share. Security teams that become aware of frequent password sharing should explore one-time guest accounts or other legitimate ways to allow business processes to continue while keeping passwords sacrosanct.
Just because a user chooses a memorable password it doesn't mean that they'll actually remember it. The fallible human memory is one of the primary reasons security experts recommend password managers for all users. According to the security.org report, About 12% of users actually do so, with another 10% taking advantage of the password management features of their web browser for the same purpose.
For one-fifth of users, writing their passwords in a physical notebook is the password management system of choice. Another 12.5% have taken their notebook habit digital, using a note app for password storage. That puts "writing it down," in one form or another, just behind the 37% who simply try to remember all the passwords they use for business and personal accounts.
Here's the problem with remembering all the passwords: Most human can't. That means either re-using passwords, with the same password used for multiple accounts, or using some sort of pattern for passwords. Either one of those choices makes it much easier for attackers to use one stolen password to leverage access into multiple accounts and increase damage exponentially.
The best security for access involves strong, unique passwords combined with two-factor authentication methods. Until the majority of users adopt those, however, articles like this one will continue to be regular features - along with stories of data breaches based on purloined passwords.
Just because a user chooses a memorable password it doesn't mean that they'll actually remember it. The fallible human memory is one of the primary reasons security experts recommend password managers for all users. According to the security.org report, About 12% of users actually do so, with another 10% taking advantage of the password management features of their web browser for the same purpose.
For one-fifth of users, writing their passwords in a physical notebook is the password management system of choice. Another 12.5% have taken their notebook habit digital, using a note app for password storage. That puts "writing it down," in one form or another, just behind the 37% who simply try to remember all the passwords they use for business and personal accounts.
Here's the problem with remembering all the passwords: Most human can't. That means either re-using passwords, with the same password used for multiple accounts, or using some sort of pattern for passwords. Either one of those choices makes it much easier for attackers to use one stolen password to leverage access into multiple accounts and increase damage exponentially.
The best security for access involves strong, unique passwords combined with two-factor authentication methods. Until the majority of users adopt those, however, articles like this one will continue to be regular features - along with stories of data breaches based on purloined passwords.
Humans are good at some things, like eating too many potato chips or getting annoying songs stuck in their heads. They're not so good at choosing edible wild mushrooms by appearance, for example, nor are they good at choosing strong, safe passwords. Unfortunately, that last item has some serious repercussions in the cybersecurity world.
Security.org's new report on password strategies in the US serves as a painful reminder of just how humans fail at the basic task of choosing (and using) a strong password. Many, if not most, of the issues around passwords can likely be laid at the feet of a pair of human traits: We're fallible, and we're stubborn. Put them together and you have a recipe for a system that we can't use well and are reluctant to change.
One of the ways that humans demonstrate their problems with passwords is in the continuing reluctance to use a password management program. Experts have long said that password managers are key to making computer and network credentials more secure, yet Security.org's research shows that only 12% of users have a password manager as part of their secure authentication routine. Instead they turn to methods only slightly more reliable and secure than teaching passwords to a nearby parrot: 37% depend on their own memory for password storage while 20% go OG with paper notebooks.
Given the high-tech password retrieval systems in use, it's perhaps no wonder that many users choose passwords that are lack sufficient security heft. Based on current research, there are six ways in which users blow the basic task of creating a secure passwords. Or to put it less judgmentally, six ways in which passwords fail to measure up.
How many of these "failures" do your passwords exhibit? Or are you one of the few who use technology to help create and manage strong passwords? We've seen the security.org research -- we'd like to know what you and your organization are doing about passwords. Let us know in the comments section.
(Image: mangpor2004 VIA Adobe Stock)
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024