Thursday, February 13, 2014

Are Password Restrictions Doing More Harm Than Good?

Many sites have developed ridiculously high standards for passwords in an attempt to get people to stop using common passwords such as “password” or “letmein”. However, many websites may be at risk of inadvertently worsening the passwords. It is important to set restrictions, however, they should be set with consideration to the importance of the material being protected, as well as with guidelines that do not hurt the quality of the password.

What Websites Are Doing Wrong

Some websites restrict the number of months in which users are allowed to use each password. Arguably, this is one of the most harmful requirements. “Requiring frequent password changes often causes users to develop predictable patterns in their passwords”, says Mark Burnett. To further worsen matters, it is more difficult to keep track of frequently changed passwords. As a result, more people will write them down in a password book, which is one of the first items a thief will take.

Also among the most harmful of restrictions are assigned passwords. While these may prevent “password” from making an appearance, they also prevent those more adept at deciding on passwords from keeping their information as secure as they otherwise would have. They also assist in password cracking, since hackers can automatically eliminate passwords that don’t fit into the pattern.

Possibly the easiest way to figure out all of someone’s passwords is through “forgot password” links, which usually ask simple questions such as “What’s your mother’s maiden name?” or “What was the name of your first pet?”. These questions are particularly bad for those with accounts on social media sites, as their passwords can be stolen through a technique called “nabbing”, which involves using the information easily found on these sites to answer the questions.


What Websites Could Do Instead

Websites need to keep in mind the importance of the information they’re trying to protect. If you’re signing into an account that allows you to comment on funny cat videos, you likely don’t need the same level of security necessary as a government official guarding top secret files. In fact, on websites like those you likely don’t even need any password restrictions, as you’re more in danger of forgetting your password than it is of being cracked.

Personally, I think passwords should be treated like usernames. If a password is already taken, then no one else should be allowed to use it. This would completely eliminate the issue of common passwords while still allowing people to use the password of their choice, provided that it’s original.

It doesn’t hurt for users to be required to change passwords occasionally on sites that guard important information, but not more than once every few months. While I don’t feel this is the best approach to solving the issue of password security, many believe in it strongly, and if you’re decent at remembering passwords, it isn’t a bad idea.

What You Can Do 

Source: xkcd
Choosing a secure password doesn’t have to be painful. Security is important, but if you think you’ll have trouble remembering the password, then there’s probably a better way you can go about creating it. Keep in mind, most websites allow the use of spaces, which can add another level of complexity without making your password difficult to remember. Being able to recall your password should be a priority. It doesn’t matter how complex a password is; if you need to write it down to remember it, then it isn’t secure.

So how exactly should you choose a password? I recommend using Correct Horse Battery Staple. This is a method that involves choosing a number of randomly generated words, (usually four) and optionally adding capitals, spaces, and/or numbers if you so choose. You can find a word generator specifically for this purpose here.

Maybe you want to use your own system, but you’re not sure how secure it is. Checking is simple enough, but you need to watch out for sites that claim to check the strength of your password. Many of them are actually stealing it. If you’re looking for a safe one, I’d recommend going to this website.

Stay secure!

Conclusion, updated March 6th, 2014


A few of you have commented on my idea of treating passwords like usernames, expressing disagreement. The issue you brought to my attention was the potential difficulty of choosing a password on larger sites that incorporate this system. While I feel this wouldn't be an issue, considering the Correct Horse Battery Staple system would work for choosing untaken usernames virtually every time, it did inspire me to search for further issues that could be caused by the idea. I came to the realization that hackers might be able to use this system to their advantage by keeping track of which passwords are taken, particularly on smaller websites. I'd like to thank those who commented for helping me to come to this conclusion.

One commenter (Holly Gerla) also mentioned a useful strategy I seem to have left out. One good method of keeping unique passwords for different websites is to insert your password between the initials of the site. Her examples include "F*insertpasswordhere*B". I'd like to add that I've seen different variations of this system, including using the first two letters, or the first and the last. I'd like to thank Ms. Gerla for her contribution.

It's been excellent hearing feedback from all of you. I'm very happy to hear so many of you found it helpful, and I'm grateful to have made a positive (hopefully) impact on your views regarding passwords. I wish you all good luck with passwords in the future, and I thank you again for taking the time to read and comment.

17 comments:

  1. Very well written and informative piece. I learned quite a bit about passwords. I've had my email account hacked and your article gave me some great insights on how to create better passwords. Nicely done!

    ReplyDelete
    Replies
    1. Thank you for taking the time to comment! I'm glad you found it helpful. I hope you have better luck with passwords in the future.

      Delete
  2. This is a well thought through, excellent article concerning the topic of the security of passwords. It had never occurred to me that sites might be saving passwords when they "checked the strength". I was a little surprised when I read that some sites require the users to change their passwords, I've never had a site ask me to do that. Thanks to this article I'm definitely thinking about what sort of passwords I'll be using in the future, as well as possibly changing the ones I have right now.

    ReplyDelete
    Replies
    1. I really appreciate hearing your feedback, and I'm glad you enjoyed the article. It's always good to hear that someone is surprised by something I write, as it means I've accomplished my goal by teaching you something.

      Delete
  3. this has been helpful. I used to just think of and random word and use that for all my things (occasionally i would put a number after it) but this has given me a new way to create safe passwords. Thanks!

    ReplyDelete
    Replies
    1. Of course! Thank you for commenting. I'm glad I've inspired improvement in your choices of passwords.

      Delete
  4. Hey Markie, your post was very detailed about all of the reasons how and why some passwords can be stolen or ineffective. I also like they memorization idea of the "correct horse battery staple." I personally use mnemonics to memorize ideas, and I believe that this method works. However, about the idea of using unique passwords for every user, I am curious to why this is better. Don't you think that this could make it more difficult to memorize a password? Also, for bigger websites such as Facebook, Twitter, and etc., wouldn't there be such a massive percentage of the populace who already would have had accounts, which increases the complexity of the passwords? Anyway, this article has informed me about many ways to make passwords and to possibly change the ones that I already have.

    Thanks
    -NDS

    ReplyDelete
    Replies
    1. Hello, NDS! Thanks for taking the time to comment. Mnemonics is a great way to memorize passwords too. As for your question, the increase in complexity is part of the purpose. Under this system, passwords wouldn't be as hard to memorize as you might think. It'd only be about as difficult as choosing a unique username, with added ease considering it doesn't need to be something you'd like to be referred to as. If you do a search on any site using a username following Correct Horse Battery Staple, it'd be very unlikely to find a match.

      -Markie

      Delete
  5. Hi Markie~
    This was not only informing, but it was also quite re-assuring as well! Now I know what I should do in the event of choosing a password!! My question is: for every website or anything that you sign up for, should you keep your password the same? or should you make every password different? You did a great job with your thesis, and your conclusion concluded it very well.
    Thanks,
    Duncan09

    ReplyDelete
    Replies
    1. Hello, Duncan09! Thank you for the feedback. I'm glad you felt reassured. As long as you can remember another password, it's always a good idea to use a new one, especially for your email. Once again, it's important to balance security with ease of memorization. Sites that don't guard sensitive information can all have the same password without much harm done, if you so choose. If you still feel worried, you can try to use a theme with your passwords to make them easier for you to associate with each other and the site you're using them on. Good luck, -Markie

      Delete
  6. Hello Markie!
    I found your article to be very interesting and it opened up a lot of new ideas for me. I found your choice of a topic to be a really good one because of the importance passwords carry and the issues of websites being to strict about them. I also really liked your choice of a photo. It gave a good reason why websites should lower their standards for passwords because computer generated passwords are too hard to memorize. In addition, putting in the information about the Correct Horse Battery Staple was very helpful because it made password creation much easier. Overall, I think that you spoke your opinion very clearly and well, and that you gave many good reasons to support it. My question for you is do you think it would be a good idea for websites to offer assigned passwords if you want one, but would also allow you to create your own unique password if you choose to do so.
    Great Work!
    PinkDancer

    ReplyDelete
    Replies
    1. Hello, PinkDancer! I very much appreciate your comment. Personally, I don't feel that it's necessary. If you'd like an assigned password, you can always use a password generator. If you're looking for passwords similar to those typically generated, I'd recommend using this one:
      https://identitysafe.norton.com/password-generator#
      It certainly wouldn't hurt to include it as an option, however.

      -Markie

      Delete
  7. Hi Markie, I found your blog to be very well written, and engaging. Great job! I especially liked how you talked about the Correct Horse Battery Staple. I could use that in the future. I like to use the same password for most websites, but after reading your blog, I definitely think changing the password would be the better choice. I noticed you mentioned that you think passwords should be like usernames, where only one person can use it. However, I find that this could be challenging. Often times, the username I pick is already chosen, so I have to keep adding characters, usually numbers, to my username. This makes it harder for me to memorize the username, because it is longer. If we do this to passwords, do you think it could raise a problem? Once people begin to add letters and numbers to their passwords (since the common ones are already taken) they will get longer and more complicated and therefore, harder to memorize. What would your solution be? Overall, you did a fantastic job!------Girl15

    ReplyDelete
    Replies
    1. Hello, Girl15! I'm glad you found my article interesting! Like I said in my reply to Duncan09, it really wouldn't be as hard as you might think. When you'e choosing a username, you're looking for something you'd want to be called. However, passwords don't have those restrictions. If you use Correct Horse Battery Staple for usernames, it's extremely unlikely you'll find a match.

      Thanks again, -Markie

      Delete
  8. Hi Markie: I am fascinated by many bits of information and advice in your post. I never really thought about having spaces in my passwords! I agree that it makes sense to put most of your energy devising secure passwords into your most important sites, and not worrying quite so much about the cat videos. I happened to be listening to a security expert on an NPR podcast recently who said she keeps track of her most important (and complex) passwords by writing them down. She believes that the risk of losing something by storing it online is far greater than having someone break into her home and recognizing what a password is and what site it's for. Another idea worth pondering! You can listen to Julia Angwin here: (http://www.npr.org/blogs/alltechconsidered/2014/02/24/282061990/if-you-think-youre-anonymous-online-think-again) --Ms. Riches

    ReplyDelete
    Replies
    1. Hello, Ms. Riches! I'm happy to have made you consider passwords in a new way. While I believe writing down passwords should be somewhat of a last resort, it sounds as if she put careful consideration into balancing security and ease of memorization. If that's what is necessary for her to remember her passwords and she's aware of the risks, that's alright. Before following her advice, however, you should remember it's never a good idea to leave a password book in an obvious place.

      -Markie

      Delete
  9. Markie,
    This is so well done, thank you. You have shared with us some very practical advice on a topic many people don't seem to spend enough time really thinking about. Data security is a big deal! Personally, I use a combination of strategies for generating passwords, but I also use a program called "1 Password" that stores all of them for me, as I currently have 133 accounts online (might be time to scale back). I did read once that a good strategy for making passwords unique for each account is to come up with one good password (probably using correct horse battery staple as a starting point) that you can memorize, and then adding letters to the beginning and end that represent the service into which you are logging in. For example, for Facebook, my password would be F*insertpasswordhere*B, and for Gmail, it would be G*insertpasswordhere*M. Does that make sense? I've never actually tried it myself, but it seems like good advice, especially if you truly have a password that you've memorized, but would like to make something unique for each service. Anyway, thank you for your contribution to the blog, here. It's very helpful information!!

    ReplyDelete

Our comments will be moderated, meaning someone will approve them before they appear.

Good comments
--are always related to the content of the post;
--consider the author and the purpose of the post;
--ask or answer a question;
--add meaningful information to the content topic;
--are constructively critical, and never hurtful;
--include personal connections to what the author wrote;
--follow the writing process.

We welcome your thoughtful contributions, especially those that might help us improve our work or expand our thinking on these topics.

If you choose the Anonymous option, please sign your name if comfortable. It is easier to respond to someone with a name. Thanks!