Those Annoying Password Rules

Are you required to change your password every quarter? Do you have to include special characters in your passwords? It is annoying but also easy to update your password, right? Just add a “1” at the end of it. Then, next month or quarter, change the “1” to a “2,” and so on. Unfortunately, such cleverness is well known to hackers, as are many other tricks.

Does your system require you to include special characters in your password? Most do. So, you type a “3” instead of an “E” in your favorite sports team’s name. Or a “1” instead of an “i” or “L.” Unfortunately, those are not original ideas either.

Bad guys study databases of stolen passwords on the dark web, where all those simple patterns jump right out. That makes it easy for the hackers trying to crack your “new” passwords.

Now cybersecurity pros say the well-intended rules are proving counterproductive. Studies have found that many rules for creating and changing passwords are not making systems more secure. They’re hurting.

For example, when we get a “time to change your password” notice (again), people get annoyed and frustrated. How can we remember all our passwords, let alone when we must change them every quarter? So, we look for an easy way to remember. We add an extra “!” to the end of the old password, then “!!” next time.

Or we alternate, switching back and forth between a prior and current password. That’s also a bad idea. With so many breaches, there’s a chance your old password is already compromised—it’s why IT wants you to change passwords in the first place.

Are the rules wrong?

IT developed the rules to encourage passwords that are harder to crack and make them a “moving target” so they stay ahead of hacks. But another “rule” is at work: the rule of unintended consequences.

Here’s how that works. People are impatient with passwords, let alone rules for passwords. So they end up taking shortcuts, like those noted above. And so doing, they fail to create truly new and difficult passwords.

In her cybersecurity research, Carnegie Mellon University Professor Lorrie Cranor looks at human behavior as much as at technology. Her findings are not surprising: People are smart but also lazy. Maybe “lazy” is harsh. We’re busy and impatient with the nuisance of passwords. We cannot remember them! So, we try to make it easy on our memories. But criminals anticipate our go-to strategies. The bad guys are way ahead of us.

So, the experts are beginning to reevaluate the rules. One of the most important changes is that they are allowing or requiring longer passwords, which are harder to crack. And they are building into their systems prohibitions against the worst (but still common) passwords like “password,” 123456, qwerty and other “top 100” easy passwords. It is surprising how even many large companies have not been doing this.

What to do

Password policy is not in the hands of shared services and accounts payable managers, let alone vendor information management practitioners. But experts are recommending that IT should:

  • Not require users to reset their passwords too frequently
  • Don’t allow the use of any passwords that appear on lists of leaked and easily guessed passwords
  • Provide automatic password-strength estimates when someone is setting up a password—and make sure to use current research in the estimates
  • Warn against simplistic use of special characters
  • Encourage people to use longer passwords

What you should do:

  • Never reuse passwords
  • Don’t use personal information in a password, e.g., name, birthdate, pet name, favorite team, group or celebrity—between public records and social media, little of that is private.
  • Make your password long—”longer is stronger”
  • Create a password out of four random words of five or so letters and string them together (you can remember the words, but they form a long password with 26 variables in each position) or
  • Come up with a unique, memorable phrase and select the first letter of each word in the phrase (do NOT use common phrases or a line from a movie).

While these are not failsafe, they make it harder for someone to crack your password.

What else?

Use device-based multi-factor authentication (MFA) everywhere you can. MFA is much more effective than a password alone. Of course, given the Willy Sutton rule, attacks on MFA are on the rise. But MFA attacks begin with compromised or stolen passwords! So, password security comes first. And MFA still offers far better protection than a password alone. (Stay tuned for a forthcoming story on MFA “fatigue” attacks.)

Many experts still recommend using a password manager, though ask IT to research and recommend the best. Unfortunately, some password managers—whose one job is to protect security credentials—have been hacked!

Security necessarily must continually evolve. And newer, better ideas are on the way. For example, passkeys are a password-less login method that is more convenient and harder to hack than password entry. Apple is already implementing this in several areas.

In the meantime, be cognizant of the risks and the importance of security protocols. And avoid transmitting or encouraging your suppliers and internal staff to transmit sensitive information via email, which is a top target for hackers and can lead to payment fraud.

Similar Posts