In Part 1 and Part 2 of this little series we discussed why passwords are simultaneously both critical and pointless. “Schrodinger’s Password,” if you will. Which is all well and good but, now what do we do?
Whatever we come up with the solution is likely to be a password plus [something else] because, realistically, passwords aren’t going away in the near future. So straight out of the gate we should consider a better way of thinking about passwords. But first, let’s try a little experiment:
I’m going to tell you what your password is.
A given computer system informs you that its password complexity requirements are a combination of upper- and lower-case letters, numbers and symbols. So what do we naturally do? We do exactly what we’re instructed to do including the subliminally implied order of those components.
First off you have a root word with a leading capital. Assuming we’re not starting with truly low-hanging fruit like ‘Password’, ‘Letmein’, ‘Changeme’, ‘Fredfred’ and so forth then this is likely something related to a family member, a pet, a hobby, inspiration from something you can see in the room like the manufacturer’s badge on your monitor. Or, let’s be frank here, filth. What you may choose to stick into various parts of your anatomy is your own affair and we’re all friends here, but I doubt that anyone really wants to have this side of their life brought to the fore during a password audit.
Next you need a number. This is your birth year, your telephone area code, ‘123’ or simply just starting at ‘1’ and then incrementing every time you’re forced to change your password. Or if you’re sporty then perhaps it’s a corresponding shirt number for your favourite player. (Aside: if that chosen number is four digits, that’s also going to be my first guess at your bank card PIN.)
Then the last requirement is a symbol. An exclamation mark is suitably dramatic, and it’s quick to type if the preceding digit is a 1. Where does that place us?
Winter2021! (wildly common because of many organisations’ policy of forcing password resets every 3 months)
If you’ve been prompted to change a compromised password, I can likely deduce your new one from the old. The first one here is now going to be Arsenal30!, the second maybe HermioneGranger1983! or similar.
How did I do?
I literally just made up all of those passwords off the top of my head for the purposes of this blog post. Subsequently I ran them all through a ‘compromised password’ checker (see previous posts) and I’ve had maybe a 40% hit rate. I’ll leave working out which ones as an exercise for the reader. (Spoiler: Tampa Bay fans are going to have a bad day.)
And of course, this is from a standing start. For a Brucie Bonus, how much of that information above could I deduce from your social media accounts? Is your birth year in your Twitter handle or your Playstation username? Is literally the only content you ever post comments about your favourite football team? How readily can I glean your spouse or your kids’ names from your Facebook profile? Can I see your car registration on Instagram, is that a password root? What about “your stripper name is your first pet plus your mother’s maiden name” (also great for finding answers to password reset security questions) or “your metal name is the colour of underwear and the the first thing you see” social media memes?
In short: how much information are you freely giving away?
There clearly has to be a better way of doing this. And there is. There are many password manager applications which will make most of this nonsense go away. It’s not appropriate – yet- in all scenarios but it will go a long way towards mitigating the weakest link here which is people. I.e., which is you.
There are lots of competing products – BitWarden, LastPass, 1Password and many more – and what works for me may not work for you so I’m not about to recommend one over the other. Go look on Google and Wikipedia. But please, consider using one. A password manager can generate passwords which look more like this:
… and the best part of that is, you’ll never have to type it or even remember it because a password manager will autofill it for you.
So that is, thank $deity, a wrap on passwords. Go get a cup of tea and then we’ll move on to what the [something else] looks like in Part 4.