May 2nd is World Password Day. Despite the computer industry telling us for decades that our passwords will soon be gone, we now have more than ever!
The average person has five to seven passwords that they share over 150 sites and services. And that is on top of all the various forms of multi-factor authentication (MFA) that they use to run their digital lives.
I wrote my first “passwords are going away” article in 1990. I wrote the second in the early 2000s. I no longer write those articles. Today, I am firmly convinced that passwords will never be going away. Everything that has been invented to replace passwords if added up all together would not work on even 2% of the world’s sites and services. Passwords still rule despite many attempts to displace them.
No, you and I have many, many passwords. We need strong ones. We need different ones for every site and service. We should periodically change them, about once a year.
Password Attacks
I have examined the world of password attacks for over three decades. Password attacks are generally broken down into a few major categories:
- Password guessing
- Password theft
- Password hash cracking
- Password bypass
Many times, hackers can successfully guess at someone’s password. This can be done manually, usually knowing something about how a person may create a particular password or just general password creation habits that are common to most people creating passwords (such as beginning with an uppercase letter in the first position, lowercase vowel in the second position, and if a number is included, it is likely to be at the end of the password).
Guessing can also be done using an automation tool that guesses anywhere from a few times a minute to as fast as the leveraged system will allow.
Defenses include creating strong passwords that defeat password-guessing attacks and forced periodic changes.
Password theft can happen in many different ways. It can occur because a hacker compromises the authentication system holding the password database (e.g., operating system, application, website, etc.) or because a user is tricked into providing their password to an unauthorized party.
Egress Software Technologies reported that phishing was involved in 79% of all credential thefts. The obvious defense against that is to prevent phishing attacks from getting to users and to provide security awareness training for appropriate mitigation and reporting if they do.
Hackers can also steal the password hashes that represent the cleartext passwords as stored in operating systems (OSs) and applications. In Microsoft Windows and Microsoft Active Directory, those hashes can be used very similarly to the plaintext passwords they represent in what are known as “pass-the-hash” attacks. The stolen hashes can also be guessed at (called “cracking”) to obtain the user’s plaintext password. Password hash cracking can be done at speeds well over ten trillion password guesses a second.
The obvious defenses include preventing password hashes from being stolen and requiring strong passwords that are resistant to successful cracking. Would your password withstand someone guessing at it ten trillion times a second? Probably not, unless it is truly random or very strong. In order for a password to be highly resilient against password guessing or cracking, it needs to be 12 characters long (or longer) if completely randomly generated or 20 characters or longer if created by someone.
Preventing password hashes from being stolen usually means not allowing attackers (or their malware) to get privileged access on the involved OS or from accessing them remotely (the latter type of attack is covered here.
Password bypass is when the attacker performs an attack that does not care if the victim had a strong, well protected password or not. For example, 33% of successful cyberattacks involve exploiting unpatched software or firmware. If you have unpatched software, an attacker does not care what your password is.
If an attacker can trick you into revealing your password to them, it does not matter how strong it is. If an attacker can get remote control of your system, they do not care what your password is. If the attacker successfully compromises the site where your password is used, they do not care what your password is. There are all sorts of hacker attacks and many of them do not care what your password is. The best defenses any single individual can do is to not fall victim to social engineering and patch their software and firmware.
My Password Advice
Given how password attacks are performed, here is my advice:
Use PHISHING-RESISTANT MFA instead of a password if you can. Using MFA likely prevents a third of today’s hacking attacks from being successful. You cannot be phished out of your password if you do not have one. Your MFA should be phishing resistant. Here are two articles on that recommendation:
Don’t Use Easily Phishable MFA and That’s Most MFA!
When you cannot use MFA, you need to use strong, separate passwords for each site and service you use. That means 12-character or longer truly random passwords or 20-character or longer human-created passwords. Those are a pain to create and use, so instead USE A PASSWORD MANAGER. If you do not use a stand-alone password manager, you should.
If you are not sure how to pick a good password manager, consider watching my one-hour webinar on the subject.
If you must create a password, where a password manager will not work, like your laptop login screen, create and use a strong password, 20 characters or longer with some complexity (e.g., uppercase characters, numbers, and symbols) and do not only place it at the beginning or end.
Here it is represented graphically:
The information and recommendations in this post are supported in detail by my ebook, What Your Password Policy Should Be.
Here's what you'll get:
