We’ve all heard the recommendations of “experts,” the media, and even the US government: Use complex passwords. Use different passwords on every website. Change your passwords often.
Here’s why you should ignore these and several other suggestions so commonly repeated that people often accept them as true without question:
1. Using the same password for multiple accounts is sometimes preferable to alternatives.
Vis-à-vis passwords, the United States Federal Trade Commission warns:
Don’t use the same password for many accounts. If it’s stolen from you – or from one of the companies with which you do business – it can be used to take over all your accounts.
Likewise, American Express recently sent an email to customers advising “Use different passwords for all the sites you use.”
I firmly disagree. While it is certainly true that passwords to sensitive sites should not be reused, it is perfectly acceptable to reuse passwords to sites where the security is of no concern to the user; for many people, such sites compromise a significant percentage of the sites for which they have passwords. For example, people today have a plethora of “accounts” that are created to access free resources; users provide no confidential information to these sites nor do they perform any financial transactions with them. These “accounts” exist primarily for the benefit of the service providers to track their users for all sorts of marketing purposes, or to ensure that comments are ascribed to user handles. Often the information users provide to these sites are no more than an email address and password. Is it truly of concern to users if a criminal who breached one such account gained access to the others? What real implications are there to the “victims” whose passwords were compromised – that a criminal will know what article topics a user with a particular email address likes? (While such information could be leveraged for social engineering type attacks, that information already likely can be ascertained from social media sites, etc.) So, instead of creating many new passwords why not just accept that people have limited memories; if using the same password or similar passwords on “no need to secure my information” sites allows a person to create and remember stronger passwords to sites that truly matter, doing so may actually be preferable to a non-reuse approach.
2. Changing passwords too often may harm security instead of improving it
The AARP recently recommended that people:
“Change critical passwords frequently, possibly every other week”
That’s outright absurd. Consider how many passwords people have that are “critical.” Most people have passwords to access their bank accounts, credit cards accounts, wireless accounts, Google and/or Apple accounts, etc. all of which can be classified as “critical.” Even with just five such accounts – and most people today likely have far more – changing passwords every two weeks would necessitate someone learning 130 new passwords a year! It’s not hard to imagine that such a scenario will lead to passwords being reused, modified only in part (e.g., the password after josephsteinberg1 becomes josephsteinberg2), or written down. Of course, following the AARP’s advice might also lead to people getting locked out of accounts after failed password attempts during which they enter old passwords – the frustration of which may ultimately cause them to abandon changing passwords altogether.
Passwords should be changed, but decide on the appropriate frequency for a particular system based on its sensitivity and importance.
3. Don’t “password panic” after reported breaches – and ignore the “experts” who “Cry Wolf”
Whenever there is a major data breach reported in the news, “experts” quoted all over the media advise people to change their passwords. This response to the news of a breach almost seems like a biological reflex – little thought is given, or analysis is performed, before a chorus of voices chimes in with the usual generic security recommendations. After reports surfaced several months ago that Russian hackers successfully stole 1.2billion passwords from various Internet sites, for example, The Federal Trade Commission advised Americans to "Change the passwords you use for sensitive sites like your bank and email account — really any site that has important financial or health information.” NBC ran an article titled “Billion Passwords Stolen: Change All of Yours, Now!” that quoted a security professional as saying “There are certainly some sites I'm going to go to today and change my password… The worst that will happen is that you've changed your password…That's not a bad thing.”
This is outright bad advice.
As I wrote then, I am not convinced that the report of the 1.2 passwords being stolen was even accurate; no evidence seems to exist that it was. But, even if it was, not only was changing all of one’s passwords not necessary as a result of this particular story – and, for the record, I did not change even a single one of my own passwords in the aftermath of that report – it could actually increase a person’s risk. When people create many new passwords at one time they face serious limitations of human memory and are more likely than otherwise to write passwords down (bad idea), store them in a computer (which, unless they are properly encrypted and the device secured is also a bad idea), or use passwords identical to, or similar to, one another on multiple sensitive sites (bad idea).
Also, as I explained after the Heartbleed bug earlier this year when I suggested that people ignore the advice of “experts” who were recommending that everyone change his or her passwords en masse, if a vulnerability that allows systems to be compromised is publicized it is important not to change passwords on systems that may still be vulnerable. Once criminals know that there is a serious, widespread vulnerability they are certainly going to attempt to detect and exploit it. So, while evildoers may not have actually exploited the vulnerability in the past – and your password may still be secure – if after the vulnerability is publicized crooks do breach the system and you change your password they will likely obtain it. Considering that if criminals stole your old password by exploiting a particular vulnerability that still exists they can easily steal your new one, and that if your old one was not stolen changing it may lead to the new one being stolen, the risk of changing your password can outweigh the benefits.
At a high level, the problem is even larger. Creating a false sense of urgency without investigating the facts is irresponsible, and puts people at risk when there is a real sense of urgency. How seriously do you think the multitudes of people who have repeatedly ignored the warnings from the FTC, security “experts,” and the media about the need to change passwords, and who suffered no harm as a result of ignoring such warnings, will take a future warning when it is actually necessary? Repeated false alarms undermine security; the government, media, and experts should exercise much greater caution lest the industry be transformed into the “Boy Who Cried Wolf.”
4. The human mind cannot remember many complex passwords, and, as such, using complex passwords leads to security risks.
The FTC advises:
The longer the password, the tougher it is to crack. Use at least 10 characters; 12 is ideal for most home users. Mix letters, numbers, and special characters. Try to be unpredictable – don’t use your name, birthdate, or common words.
While, in general, it is true that 12-character passwords that utilize a blend of letters, numbers, and special characters are “tougher to crack,” they are also difficult for humans to remember. The FTC’s advice might have worked well 20 years ago when people had one or two passwords; in today’s world, the FTC’s recommendation seems disconnected from reality: people simply have too many important passwords to use such a strategy. Using a long, complex password on one or two especially sensitive sites might be a good idea, but applying such a scheme to any significant number of passwords is likely to lead to people inappropriately reusing passwords, writing down passwords, and choosing passwords with poor randomization (e.g., choosing a capital for the first letter of a password, followed by all lowercase, and then a number) – any of which can seriously undermine security.
A far better approach than just telling people to use complex passwords, is to advise them to classify the systems to which they need to secure access. The government does not protect unclassified systems the same way it does Top Secret infrastructure, and neither should you. Classify systems and set your password policies accordingly; this need not be a formal process. Based on risk levels, different password strategies may be employed: Random passwords, passwords comprised of multiple words possibly separated with numbers, passphrases (long passwords – sometimes full sentences), and even simple passwords each have their place. Of course, multifactor authentication can also augment security when available.
5. People need to provide passwords over the phone, so telling people not to do so is not an effective way to protect them.
The FTC recommends that people:
Don’t share passwords on the phone, in texts or by email. Legitimate companies will not send you messages asking for your password. If you get such a message, it’s probably a scam.
It would be nice if legitimate businesses never asked people their passwords over the phone; but, they do so on a regular basis. The correct advice is not that people should never provide a password over the phone or email, but that they should provide it only if they initiated contact with the party requesting it. If you call the number on the back of your credit card in order to reach your credit card company, or dial the number that appears every month on your cellphone bill in order to reach your wireless carrier, for example, it is reasonably safe to provide your password when asked. Just don’t offer it during a conversation with someone who initiated contact with you; instead, always call back using a known number dialed directly from a known phone line.
Here is the bottom line: Cybersecurity is about people. And, as I have described with regard to phishing as well, when people’s limitations are ignored cybersecurity suffers. Much oft-repeated password advice is true in theory, but when put it into practice can underdeliver, or be outright counterproductive; human limitations can literally transform techniques to strengthen passwords into mechanisms that undermine security.
To be fair, if someone is going to secure passwords in a properly encrypted, remotely-destructible, firewalled and otherwise defended, computer-based password storage system, then using complex passwords, changing passwords every other week, or modifying passwords en masse, may be fine. But, realistically speaking, how many people truly and fully do so?
So, as discussed above, stay calm, and apply security as appropriate for each of the systems that you use.
Follow me on Twitter at @JosephSteinberg
