Passwords and why they suck

Publication date: 2022-05-18

A lot of history here, a lot of data loss, a lot of battles with your users. Passwords are essential in modern world or at least it seems so. So what is going on here?

There’s an 80s story around one of the first vibrant hacker communities at MIT and it’s member, Richard Stallman, and passwords. You can like him or despise him, but in the early days he was notorious with fighting a passwords fight and not in a good way I might say. At least, in the eyes of IT professionals and reality we live in.

If you don’t know what I’m referring to, don’t worry. Simply speaking before there was Internet of today there was there was the ARPAnet of MIT and a smaller network of interconnected machines. If you knew enough, you could access the ARPAnet. But you needed to know or have access credentials. What Stallman did was publishing his user credentials and releasing it to the “public”. He often was using the strategy of having the same password and a login as an act of rebellion and defiance. (Sounds like something you’ve seen nowadays?)

This was his hacker and somewhat idealistic world view that played the role here. According to the Free as in Freedom: Richard Stallman’s Crusade for Free Software he said this about his motivations:

“[When] passwords first appeared at the MIT AI Lab I [decided] to follow my belief that there should be no passwords,” Stallman would later say. “Because I don’t believe that it’s really desirable to have security on a computer, I shouldn’t be willing to help uphold the security regime.”

To read it today is… strange. Can you imagine having your own computer opened for everyone and let anyone access anything? Exactly, me neither. This unrest you have at the back of your head is exactly why passwords were implemented and used practically since computers were adopted in the companies and in our homes. Privacy – an essential need of every human being (I guess).

While Stallman’s views were extreme, passwords were always an inconvenience for the users and are still viewed as such by some, especially when frequent password changes are forced by the administrators and security policies. For long time this was an inconvenience that, compared to other options, was and still is extremally convenient. You’ll see what I mean if you follow me and the story here.

To put it simply… there is more than one problem but let’s start from the top.

In your life on the internet, you have most likely experienced an irritating situation where you create an account in a service and set the password and see the instructions “Your password must be at least 8 characters long, not longer than 20 and contain at least: one large character, one number, one special character” blah, blah, blah, we all know the line that specify the password complexity rule, and this is one of our problems.

Why? Well… humans will be humans. We would do the bare minimum to satisfy the rule and move forward. I know I did. Few times. This provides us with some simple passwords you might have seen, like Pa$$w0rd. Thousands or hundreds of thousands of passwords like those are leaked in breaches every year. You might have even seen a news stories like this one:  or maybe this one.

Another one of the problems? Enforcing frequent password changes. If you don’t know what I mean just think about the time when it got so irritating always having to change the password and comply with the security rule that you have started using Summer2019! or January2020! (if you had to change your pass monthly) and if you haven’t done that personally I’m sure you have seen this plenty.

Is there more? In a way, yes. But next ones are not that straightforward and for a long time were thought of as solutions to the issues of today. Let’s dig in.

For a long time, there was a talk about improving password security against attacks. The focus here was to protect against most well known attacks. Those which work on our imagination the most – a hooded figure sits in front of the computer and tries to either guess the password or hacks it with some software. Great for movies and dramatic effect, but not as a base for decision making.

So, what are the recommendations for improvement? First, is to use passphrases instead of passwords. How does it help? Basically, passphrases can be longer, words can be separated by special characters, can be remembered easier than long and complex passwords with the significant length and complexity increase. This is a low effort and big gain, but only against some password attacks.

Another improvement? Increase the password change interval. One month is really prone to dictionary based and generic passwords that are easily guessed. Three months? Well, it is better but still not perfect. If it were up to me, I would only require password change in case of the in cases of breaches or leaks, but you must find your sweet spot that complies with regulations and policies that apply to you and your organization.

There is one more thing that I hope goes without saying – never use the same password twice. This is helpful in case of breaches where attackers simply try your password and known email addresses on most popular sites and get to access to your accounts.

All of those mechanisms bring one question to mind – how the hell am I or anyone else going to remember all of the complicated passwords that we all supposed to only use once, even if we don’t change them too often? Don’t worry, there’s a simple trick – the use of a password manager. What is that? Simply put, password manager is a piece of software that can generate complicated passwords or passphrases and store it in an encrypted vault. I have been using one for some time now and only passwords I know are the one to my PC and to my password manager.

This is all cool and dandy but has one flaw – a single point of failure. When someone gets my vault password, they get all of my passwords. Am I worried? A bit, but not so much, and it is not because I have used a complicated passphrase of 120 characters. I have turned on multi-factor authentication.

Multi-factor authentication or MFA for short is a process in which you are prompted for an additional form of identification. MFA process requires at least two of the following to let you log in:

  • Something you know
  • Something you have
  • Something you are

    What does it mean? Something you know is usually a password. Something you have is a device, like a smartphone or a hardware key (I do recommend the latter). Something you are, is biometrics, which most of you are probably already using when unlocking your mobile phone. Or at least I hope so.

    How does it help? Simple. If your password has been compromised, you are still protected because the attacker doesn’t have your second factor. According to Microsoft it can stop 99.9% of attacks against the accounts. One simple action you can take to prevent 99.9 percent of attacks on your accounts (microsoft.com)

    In one sentence: TURN ON MFA wherever you can. Will you be 100% protected? Of course not. There are still legacy protocols in use that don’t support MFA. There are still attacks that can circumvent the MFA and users are really helpful in those so, turn off legacy protocols where you can and monitor those services where it cannot be done. And most of all train and educate your users!

    Unfortunately, passwords and authentication management has too often been ignored. I have seen easy passwords that were set for critical systems on accounts with elevated permissions. I have seen users that know all of this what I wrote here and still got hacked and got their critical servers encrypted by malware. So, when you are an administrator and are not using a hardware key or card to access the system – change it immediately!

    Consider changing the password policy in your organization and ease up on the password change interval requirement. This will help you a lot and users will like it as well.

    Those actions can protect you and your business from being compromised but remember there is no system that cannot be hacked or broken into. Get yourself a contingency plan for when your environment will be affected. And yes, this is a question of “when”, rather than “if”.

    A lot has changed since Stallman was rebelling against passwords in the 80s. World has changed, and our systems need protections against unwanted access. Passwords are vulnerable to attacks and are still used as one of the main protections. Let’s stop doing that.