Perfect Passwords

Today, we are bombarded with a plethora of 'recommendations' on how to choose a good password and they all seem at best random and at worst contradictory. There are explicable reasons for this, albeit no neccesarily good ones.

Each recommendation is designed to defend against a particular weakness with the whole password-based approach to authentication. But because each approach only defends against one specific vulnerability, it leaves itself open to all the other vulnerabilities. So along comes another recommendation to deal with that, and the whole vicious circle repeats itself. So lets lift the lid on what's going on, to see how we can improve things (plot spoiler: don't use just passwords! Use multi-factor authentication, MFA, sometimes also called 2-factor authentication or 2FA, wherever it's available).

Historic advice about passwords was constrained by a combination of technical limitations and 'organisational culture'.

The first limitation, technical, resulted in constraints on password length. Even as late as the early 90s, the memory and disk hardware that computers needed to work was still relatively expensive, and so it couldn't be considered a 'consumable resource' in the way it is today. There the software that ran on them couldn't take quite the liberties that developers can today [the subject of another post!] . Every byte cost money, and devoting any of it to something not obviously required ("who's going to remember a 20 character password ?") wasn't going to happen: so passwords were limited in length.

With only 8, 10 or 12 characters to play with to store the password, it was essential to mix those characters up as much as possible to make it difficult to guess the password, hence all of the nonsense about "must contain upper case, lower case, numbers, 'special characters', etc." ("All characters are special" -- @troyhunt). But that results in passwords which are difficult to remember, and as a consequence, produces an entirely different set of vulnerabilities.

Because passwords were difficult to remember people, entirely understandably, wrote them down and reused them across multiple systems. The latter activity meant that when one systems was breached, the attacker had a fair chance of getting hold of a password which would work on many other systems. The former behavior increased the risk that passwords could simply be easily stolen, exacerbating the latter problem.

To deal with these problems, 'rules' were developed.

No one is quite sure where the rule to "change you password regularly" came from, but it's been embeded in audit requirements as long as anyone can remember. As alluded to above, regularly changing your password may defend against one kind of vulnerability (a breached password is like to get changed soon, reducing the window of opportunity for it to be exploited) but it complete fails to recognise the more fundamental problem which is that people are really bad at choosing passwords: coupled with the restricted set of passwords that people can construct (the historic 8 or 12 character limit) and it was almost inevitable that folks would pick passwords like 'p@ssw0rd' or 'qwerty123'. When you pile on top of that the need to change passwords every month, or whatever, it was entirely foreseeable that people would simply change their passwords to 'p@ssw0rd1' or 'qwerty124', thus adding absolutely no additional security whatsoever, and sometime actually reducing it as folks struggled to meet increasingly absurd requirements designed to meet an entirely flawed security model.

Please don't use any of the following in your password, as these were the top most frequently breached passwords!