Surviving the Internet – Three password tips

[av_post_meta]

In the online world, passwords protect who we are.

Passwords are part of our everyday lives whether we like it or not. Along with them, we get the constant concerns about choosing, remembering, associating them with websites and applications, and last but not least, protecting them. With our increased reliance on internet and devices for everyday activities, passwords hold the key to our lives – protecting intimate personal details and private communications, job-related confidential information, our social habits, our finances. In the online world, passwords protect who we are. That is why passwords are important, and acute care needs to be put into keeping them safe.

Decision #1: Strong, or easy to remember?

In theory, all passwords can be cracked, given enough time and processing power. The frightening fact is that the overwhelming majority are crackable in under 6 hours using a standard PC (according to a study conducted by Meldium). Thus, most applications and websites enforce password complexity policies to protect their users. However, the longer and more complicated a password is, the harder it is to remember it. Forgetting passwords is frustrating, and password recovery is a cumbersome process if it has to be carried out often. Which brings us to the first important decision to make, when choosing a password: how long and complex should it be? We looked at studies conducted by teams of psychologists and engineers to find out:

TIP #1:


Mnemonic-based passwords of 7-8 characters represent a good trade-off between security and memorability.

(J. Yan, A. Blackwell, R. Anderson, A. Grant, “Password Memorability and Security: Empirical Results”

How to choose secure  mnemonic-based passwords:

“Think of a memorable sentence or phrase containing at least seven or eight words. Select a letter, number, or special character to represent each word in your password. A common method is to use the first letter of every word. Ideally, the password should contain a mixture of lower case and upper case letters, numbers, punctuation, and special characters (such as ^ or %).”

(C. Kuo, S. Romanosky, L.F. Cranor, “Human Selection of Mnemonic Phrase-based Passwords”)


Example of memorable phrases and passwords (C. Kuo, S. Romanosky, L.F. Cranor)
PhrasePasswordInspiration
Four score and seven years ago, our Fathers4s&7yaoFQuotation – Gettysburg Address
I love to ski at Seven Springs!Ilts@7SPersonal Hobby
Alas, poor Yorick! I knew him, HoratioA,pY!Ikh,HLiterature – “Hamlet” by Shakespeare

Decision #2: Should passwords be reused, and how much?

Pretty much everywhere we go online, we need to register: personal email, hobbies, social networks, all require an account. Add to that work-related credentials for email, login, communications and we arrive at a pretty impressive amount of accounts to manage and secure. The more accounts we have to assign a password to, the more tempted we are to reuse passwords. An impressive 65% of the people use the same password everywhere (according to a study conducted by Meldium).

TIP #2:


Do not reuse passwords!

Ways to avoid password reuse:

  1. Use password managers (with the risk of losing it all, if the master password is compromised)
  2. Choose a repeatable pattern for your password, such as choosing a sentence that incorporates something unique about the website or account, and then using the first letter of each word as your password. For example the sentence: “This is my August password for the Center for Internet Security website.” would become “TimAp4tCfISw.” (Center for Internet Security, “CYBER SECURITY TIPS NEWSLETTER”, August 2015, volume 10, Issue 8)

Decision #3: How often should passwords be changed?

Common belief is that passwords should be changed at specific time intervals in order to avoid overexposing them to attackers. Hence, most websites, applications and systems have a policy regarding password lifetime and enforce various intervals when passwords need to be changed. However, latest research argues the opposite. People choose passwords less responsibly, when forced by a password expiration policy and are more prone to write their passwords down.

TIP #3


“Organizations should weigh the costs and benefits of mandatory password expiration and consider making other changes to their password policies rather than forcing all users to keep changing their passwords.”

When to change passwords:

“If you have reason to believe your password has been stolen, you should change it, and make sure you change it on all of your accounts where you use the same or a similar password. If you shared your password with a friend, change it. If you saw someone looking over your shoulder as you were typing your password, change it. If you think you might have just given your password to a phishing website, change it. If your current password is weak, change it. If it will make you feel better or if you just feel like it’s time for a change, then by all means go ahead and change your password.”

(Lorrie Cranor, “Time to rethink mandatory password changes”, FTC Blog – summarizing the findings of various empirical studies)


Conclusion

As humans, we are bound to fail at some point when choosing passwords, in spite of good advice and evolving tools designed to help us. Password managers and two-factor authentication help reduce this risk but are not fail-proof either. Some researchers argue that the way forward is to give up using passwords completely. Read more about this approach and a comprehensive study on current authentication methods here.

Liked this article? Follow us on LinkedIn for more, or subscribe to our newsletter.

References:

“Human Selection of Mnemonic Phrase-based Passwords”;

“Password Memorability and Security: Empirical Results”;

“Cyber Security Tips Newsletter, August 2015, Volume 10, Issue 8”;

“Time to rethink mandatory password changes”;

“The Quest to Replace Passwords:A Framework for Comparative Evaluation of Web Authentication Schemes”.