Perfect Passwords

Today, we are bombarded with a plethora of 'recommendations' on how to choose a good password and they all seem at best random and at worst contradictory. There are explicable reasons for this, albeit no neccesarily good ones.

Each recommendation is designed to defend against a particular weakness with the whole password-based approach to authentication. But because each approach only defends against one specific vulnerability, it leaves itself open to all the other vulnerabilities. So along comes another recommendation to deal with that, and the whole vicious circle repeats itself. So lets lift the lid on what's going on, to see how we can improve things (plot spoiler: don't use just passwords! Use multi-factor authentication, MFA, sometimes also called 2-factor authentication or 2FA, wherever it's available).

Three random words

If you have to remember a password -- and you shouldn't have to do that except in a couple of limited cases, see later -- then you should choose one that is "long and strong".

To make a strong password, combine three random words with some punctuation and numbers. For example, combine the three words potato, carton, newspaper to get the strong password "potato.carton3newspaper".

Historic advice about passwords was constrained by a combination of technical limitations and 'organisational culture'.

The first limitation, technical, resulted in constraints on password length. Even as late as the early 90s, the memory and disk hardware that computers needed to work was still relatively expensive, and so it couldn't be considered a 'consumable resource' in the way it is today. There the software that ran on them couldn't take quite the liberties that developers can today [the subject of another post!] . Every byte cost money, and devoting any of it to something not obviously required ("who's going to remember a 20 character password ?") wasn't going to happen: so passwords were limited in length.

With only 8, 10 or 12 characters to play with to store the password, it was essential to mix those characters up as much as possible to make it difficult to guess the password, hence all of the nonsense about "must contain upper case, lower case, numbers, 'special characters', etc." ("All characters are special" -- @troyhunt). But that results in passwords which are difficult to remember, and as a consequence, produces an entirely different set of vulnerabilities.

Because passwords were difficult to remember people, entirely understandably, wrote them down and reused them across multiple systems. The latter activity meant that when one systems was breached, the attacker had a fair chance of getting hold of a password which would work on many other systems. The former behavior increased the risk that passwords could simply be easily stolen, exacerbating the latter problem.

To deal with these problems, 'rules' were developed.

No one is quite sure where the rule to "change you password regularly" came from, but it's been embeded in audit requirements as long as anyone can remember. As alluded to above, regularly changing your password may defend against one kind of vulnerability (a breached password is like to get changed soon, reducing the window of opportunity for it to be exploited) but it complete fails to recognise the more fundamental problem which is that people are really bad at choosing passwords: coupled with the restricted set of passwords that people can construct (the historic 8 or 12 character limit) and it was almost inevitable that folks would pick passwords like 'p@ssw0rd' or 'qwerty123'. When you pile on top of that the need to change passwords every month, or whatever, it was entirely foreseeable that people would simply change their passwords to 'p@ssw0rd1' or 'qwerty124', thus adding absolutely no additional security whatsoever, and sometime actually reducing it as folks struggled to meet increasingly absurd requirements designed to meet an entirely flawed security model.

Please don't use any of the following in your password, as these were the top most frequently breached passwords!

NCSA breached password list

In a review undertaken in 2019, the UK's NCSA identified the following as the top 20 most common words in uase as passwords. Please don't use them anywhere in yours.

123456 1234567890 123456a 123abc
123456789 123123 654321 1q2w3e4r
qwerty 000000 123321 qwe123
password iloveyou 666666 7777777
111111 1234 1qaz2wsx qwerty123
12345678 1q2w3e4r5t myspace1 target123
abc123 qwertyuiop 121212 tinkle
1234567 123 homelesspa 987654321
password1 monkey 123qwe qwerty1
12345 dragon a123456 222222