We all know the well-worn adage to make our passwords long and complex. Sometimes trying to do so can be completely frustrating.
My password policy recommendations include:
- Use multi-factor authentication (MFA) when you can and where it makes sense
- If a password manager can be used, use very long and complex passwords
- If a password manager can’t be used, use at least 8-12+ character passwords with some minor complexity
- Use a 16-17+ character passphrase if concerned about password hash cracking attacks
- Enable account lockout (at any value, but much debate over)
- Don’t re-use passwords between any website or service
- Do not use easily guessable passwords (e.g., password2, 12345678, etc.)
- Change passwords at least once a year, possibly more often for corporate organization accounts
If you are interested in learning why I recommend this policy, check out my latest on-demand webinar on all things passwords. It’s everything I know about password attacks and defenses. But in a nutshell, password policy can only prevent two types of attacks: password guessing and password hash cracking. You don’t need a super long or complex password to prevent password guessing from being successful, but you do to prevent password hash cracking. Although it’s pretty much already game over if a hacker has your hashes.
I’m a big fan of password managers, warts and all. They allow you to fairly easily and quickly create and use long and complex passwords. I’ve been using one for years now. I encourage everyone to use one. I don’t really like to tell people which password manager they should use because I’ve only tried out a few and they all seemed pretty good. But if you want some recommendations, check out this WIRED magazine password manager review article.
One of the frustrations you’ll come across if you try to use long and complex passwords consistently across all the websites and services you use is that it seems that nearly every site and service has a different accepted password policy. Minimum password length usually ranges between six to eight characters. That’s not a problem. It’s the maximum length and complexity. Most range between eight to 20 characters, although some allow longer. The bigger problem seems to be complexity. Some require uppercase and lowercase letters. Some require numbers. Some require symbols, but which symbols they allow vary greatly by site and service. It’s never all the characters and symbols allowed from a regular 94-character keyboard. And never mind if you decide to use a space as your symbol. Forget about it.
But my bigger problem is that many websites and services (I’m talking very popular and well-known websites and services) will not take passwords that meet what they state meets their password complexity policy. For example, this week, I was trying to login to a very popular healthcare website using the password I had created when I joined. The website would not take my password even though it had worked during registration. I tried over and over. It kept saying I was using a bad password.
So, I clicked on their “Forgot Your Password?” link. It prompted me to enter in a few pieces of confidential information to confirm my identity, which I did, and then, it asked me for my new password…twice…naturally. The password I tried here was 14-characters, and a mix of uppercase and lowercase letters and numbers. The site’s password policy said passwords had to be from 8 to 20 characters long and must contain letters (both uppercase and lowercase) and numbers. No symbols allowed.
Symbols or No Symbols?
Those types of password policies are weird, because I’ve got to configure my password manager, which generates my random passwords, to not use symbols. It’s frustrating because most websites allow symbols, but I’m constantly forced to manually remove or replace symbols from the randomly generated password offered by the password manager because the site doesn’t take particular characters it used. And many times, the site doesn’t tell you which symbols it only accepts or likes. I have to start manually removing or replacing symbols to find out which characters were the problematic symbols. It can take a few minutes to get a complex password that the site will accept. This is frustrating by itself, but back to my previous password frustration story already in progress.
So, the site will only take moderately long passwords and only passwords using letters and numbers. At least it’s stated in the policy that NO symbols are allowed. It’s a weird requirement, but at least it’s stated. So, I input a new password. It takes my new password. I have to type it in twice. It accepts it and thanks me. Then when I try to login using the new password, it immediately kicks me to the change your password page that I had just left. I don’t know what’s going on, but I put in my same password again and it takes it, thanks me, and takes me to the login page. When I put in the new password, it takes me right back to the change your password page. And it never lets me out of this cycle.
Password Complexity in Practice
I call tech support and they walk me through the same steps. They tell me I can use the same password as I am currently using, so I type in it. Same thing happens. They tell me to type in my old password that worked before. I do that and the same result happens. Tech support is clueless. In frustration, I type in a new password of Password2 and it takes it. What!!??
Yes, it appears that my new and old password that meets the stated password policy is either too long or too complex for the system to handle, so it’s rejecting me using it after allowing me to create it. And it won’t take my strong password, but it will take one of the most common and easily hackable passwords in the world. [Hacker wannabees, note I changed my password to something else besides Password2, so slow down on trying to hack my account.]
I would love to say this is unusual, but it’s not. It happens all the time when I try to use long and complex passwords. It happened on three different websites over the last week alone. Most of the time, the website simply doesn’t take my long and complex password and I have to spend a few minutes determining how weak my password has to be before they will take it. That’s frustrating enough.
What’s worse is that websites often appear to take my long and complex password but then won’t let me use it after saying I successfully created it. I’m lucky if the website actually tells me that my password is “bad” upon the first time I try to use it. I’m so used to that outcome that I immediately know what is wrong and go about changing it to a weaker password with less length or complexity. That’s frustrating enough.
But what often happens is that it takes my password and then when I try to login at a later date, suddenly my password won’t work. It worked at some previous point and now suddenly later, it doesn’t. Or it lets me login to the website, but then I get prematurely kicked out for an unexplainable reason or I get unexplainable error messages as I navigate the site. I know what’s happening. The website is connecting to different backend services which require authentication, and my long and complex password is creating problems on that newly involved system. I get it! I know why it’s happening. But it doesn’t make it any less frustrating.
Can These Frustrations be Solved?
The Holy Grail would be if the world decided to have the same, very inclusive password policy. Unfortunately, that’s never going to happen. But is it too much to ask that website developers actually test to see if what is stated as their current password policy actually accepts those passwords? And it’s not the rare occurrence. It happens all the time. If you don’t use truly complex and long passwords, you hardly ever see the problem, if ever. They take shorter and weaker passwords no problem. But if you’re trying to be a good, safe Internet citizen and actually use long and strong passwords, you will soon discover that it isn’t as easy as the computer security proverb makes it out to be.
I know there are bigger fish to fry in the computer security world, but here we are after over three decades of personal and network computers and two decades plus into this world we know as the Internet, and many websites and services can’t get something as pervasive and common as passwords working right. It’s frustrating. This begins to answer the question "Why do so many users have 'bad' passwords?"