A Password is not a Pass-Word

From bank accounts to entertainment, our virtual life is wider than ever, and with the 4th industrial revolution is only meant to grow at an exponential rate. Within this redefined framework, the security of our virtual life will strongly depend on the passwords we choose to protect it.

In 2015 the password manager app Dashlane conducted an analysis on their clients revealing that every user owns an average of 90 accounts online. Therefore the amount of data we potentially expose online is massive and the issue of how to protect them must be addressed.

The question is: if you were to live in a house with 90 doors facing the street, how would you secure them so to minimize the risk of thieves breaking in? Out of metaphor, what should a strong password look like, one that could prevent unauthorized people from getting access to your virtual house?

A thief chooses what lock to pick taking into consideration two critical variables: the amount of time needed to force the door and what tools should be used. Similarly, the likelihood of a password cracking activity to be successful depends on how long it would take to decrypt a given password and on the availability of the technology to carry out the activity.

Hence, a password set to protect your virtual identity should have the same complexity level of a pickproof door.

But what makes a password secure? NIST, the National Institute of Standards and Technology of the U.S. Department of Commerce, has provided some standards aiming at guaranteeing a fair level of complexity. Companies worldwide have adopted best practices.

The most common rules are concerned with the length and the number of special characters a password should have, and with forcing periodic password changes. Also, safety questions have been set as a mean to safeguard users’ accounts by applying customized checks.

The idea is that increasing either the inner components of a lock – as by setting minimum requirements in lengths or increasing complexity imposing the mixed use of numbers, letters, capital letters, special characters, and so on – or the total number of locks and their periodic substitution, contribute to fortifying the doors.

Ironically, such measures not only have proved ineffective in securing accesses, but they have also increased the users’ exposure to risk and the probability of these virtual doors to be breached. Having to manage an average of 90 accounts requires our mind to carry 90 keys.

To reduce the burden, people tend to create passwords that are easy to remember and with common patterns, and at worst, to use a pass-word for all of their accounts.

For instance, in 2012 LinkedIn has registered a violation resulting in 164 millions of credentials being stolen including Zuckerberg’s ones, credentials granting access also to his Twitter and Pinterest account.

The SP 800-63 (Standard Publication) published by the NIST in 2017 has replaced the old standards shifting the burden from memorizing to replicating while preserving the same level of complexity: 

1) Whenever logging in, the “paste” function should be allowed in the password field so to facilitate the use of ‘password managers’ tools, a keychain that holds our passwords in a secure and encrypted way;

2) A blacklist of bad passwords to be forbidden should be in place;

3) A multiple factors identification system, following the logic ‘something you know’ and ‘something you have’, should be preferred as identification method over security questions and the door locks, for instance, should be paired  with an entrance guard device, that could be based on both a code or fingerprint identification technology.

Additionally, NIST strongly recommends to refrain from forcing password changes.

If the account is forced to a periodical password change, e.g. once every three months, the number of keys we are expected to collect and preserve for securing our virtual house reach 360 a year, creating an unrealistic expectation of finding the proper keychain.

In formulating the standards, the NIST recognizes that “Whenever humans are forced to change their passwords too often, they either apply a minor and predictable modification to the existing passwords, or they forget the new ones”.

Thus, verifiers shouldn’t force any password change unless there is evidence of breach. Indeed, such solution protects only from the probability that a cybercriminal might hack an account within the time frame between two forced changes.

If a password is compromised the change should be forced immediately; if there is no evidence of compromise the password is safe and no forced change is required. If we think back to the metaphor of the house with 90 doors, it becomes clear that changing every lock every now and then does not improve security by itself: changing the lock only if there are clear evidences that a thief has stolen the key is the best approach.

When answering the question on how the keys of our virtual life’s doors should look like, we may say that a password of 20 characters, including capital letters, numbers and special characters guarantees a fair level of complexity and prevents passwords from working as pass-words for undesired guests.

But setting an extremely complex password is just the first step in guaranteeing the security of our private virtual life: strong passwords should be coupled with efficient password manager tools and with the application of new best practices.


Check more related articles on our blog.