Passwords are a joke
We’ve all been there.
You log in to your bank or work account and the computer says you need to reset your password. You think:
Didn’t I just do that?
Annoyed at the seemingly frivolous interruption—I just want to check my balance!—you quickly scan the instruction box:
Your eyes fall on the words Must contain one number and one special character.
Well, that’s easy, you think. I’ll just add a “1” and “!” to the end of the last password!
Sound familiar?
That’s because everybody does it:
A recent study by researchers at Princeton suggests the routine in the video is funny, not because it’s ridiculous, but because it’s true — and ridiculous.
Many if not most of the password rules we’ve become accustomed to over the years are not making us more secure.
Quite the opposite.
For example, the Princeton researchers found that compelling periodic password changes leads to progressively weaker passwords.
After all, human beings have a limited capacity to remember odd strings. Forcing frequent changes trains us to create the simplest variant of the previous password that meets the criteria.
Same for forcing special characters. It’s not that including them is bad. They can make your password more secure.
©XKCD
But as more and more password databases have gotten leaked, hackers now have a treasure trove of human behavioral data going back years, and they’ve found the same flaws the researchers at Princeton did:
In the hustle of daily life, we all take the path of least resistance.
This means that those clever rules you think are making you safer are having the opposite effect:
Password rules make your passwords harder for you to remember but easier for machines to guess.
Nor is the problem limited to marginal online accounts like your local gym or dry cleaner. Researchers found that some of the biggest names in tech are not compelling best practices, including Facebook and IBM.
The situation is so bad there’s even a website for collecting dumb password rules — appropriately called Dumb Password Rules.
“Weirdly, some bits of old password wisdom have turned into a religion.”
So what should you do?
No security system is unbreachable, but there are a few practices that actually do help secure your accounts.
First, use two-factor authentication wherever possible.
This is not flawless. Turns out, with some simple social engineering, it’s not that hard to convince people to send a complete stranger the two-factor code they just received on their phone — if they believe that stranger works for the company in question, for example, and that they’re trying to help.
We’re most vulnerable at the precise moment we’re frustrated with technology, which is why:
Second, never, ever trust someone you don’t know — and be very suspicious of those you do.
As we’ve noted before, on the internet, you’re never very far from a thief.
Never share your password or verification code with anyone you don’t know personally — and keep in mind that identity theft is real. A clever adversary might be impersonating someone you know via email or text.
So call that person instead. It only takes a few seconds.
And better yet:
Third, never share a password by email, even with a friend or colleague.
If we’ve said it once, we’ve said it ten thousand times:
Email is not private.
Email is not secure.
Your email account is one large database of all your communications. Every off-color joke, every passive-aggressive retort, every insult, every embarrassing typo is preserved for posterity (and discoverable in court).
If your account were ever contravened, even years from now, every password you’ve ever shared would still be there and easily searchable, especially since we usually preface shared passwords with something like “Hey Susan. Here’s the password.”
If you need to share a password, such as with an accountant or technical consultant, use a method that is not retrievable later, such as PW Pusher, and do it even if the account in question “doesn’t matter.”
Fourth, always use strong, unique passwords, even for accounts that “don’t matter.”
It isn’t enough to have passwords that differ a little — an extra number, a zero in place of an O, a different special character on the end. Hackers know all these tricks. You’re not being clever.
All your passwords exist in large databases. Those databases are only as secure as the least intelligent person at that company.
Do you remember every account you ever created? What about that sports or crafting website you signed up for years ago and never used?
In truth, all of us have a dozen or more accounts we don’t remember creating.
If you’re in the habit of using similar passwords, then once a hacker gets one, including one that “doesn’t matter,” you’ve made it easy for them to guess all the others.
No, of course you can’t remember a strong, unique password for every single one of your accounts! No one can. Stop trying:
Fifth, use a good password manager like Zoho Vault.
Password managers aren’t flawless either, as users of the popular password manager LastPass recently discovered.
If you are ONLY using a password manager, then it’s true that you are not significantly more secure.
In fact, given that the password to your password manager reveals all your passwords, you’ve actually introduced a single point of catastrophic failure!
However, if you use a password manager in conjunction with the practices above — especially two-factor authentication — then you are reasonably well protected, even if the password manager itself were breached.
After all, simply knowing your bank account password won’t benefit a hacker if that account also requires a two-factor code. And if that password is strong and unique, revealing it risks none of your other accounts.
In the unlikely event your password manager is contravened, none of your accounts are at risk, and it’s (inconvenient but) easy enough to update your accounts to new strong and unique passwords, which the password manager will handily generate for you.
What’s more, a good password manager like Zoho Vault will also let you share passwords (and other secrets) securely if required, without the need for email or third-party tools.
There’s even a mobile app, meaning you can access your accounts securely from any of your devices.
In other words, simply using Zoho Vault will force you to follow many of the best practices on this list and without having to think about them.
A seat belt for the information superhighway
If you’re thinking “I’ll get to it one day”… we understand. We’re all busy. More immediate problems might take precedence.
It’s like driving. We all get into our cars every day despite ample statistical evidence that it’s risky. The fact that we’re likely to be in at least one serious accident before we die doesn’t change the fact that we still need to get to work.
But the statistics also show that, if we’re going to ride in a car, wearing our seat belt is an effective mitigation against serious harm, which is why it’s the law in most areas.
So with a password manager.
If you’re going to drive the internet, at least put your seat belt on. Use a password manager.
Concluding Thought:
What about Biometrics?
It used to be the stuff of science fiction. A secret agent would lean in for a retinal scan or slap some dead security guard’s hand onto a screen to gain access to the vault beyond.
Surely it’s safe to log in with a facial scan or fingerprint, right? No one can copy that.
Be careful with biometrics. Here, security researchers are split.
While the researchers at Princeton point to biometrics as a more secure alternative to passwords, other experts (such as computer security legend Bruce Schneier) argue that biometrics have the same fundamental flaw as repeated passwords: you’re using the same key to secure all doors.
Hackers can’t easily copy your face or fingerprint — yet. But they can copy your voice. It’s not hard to imagine the rest is coming.
More to the point, that’s not what the computer checks. The machine measures your face or finger and converts it into a digital code, and that code is the actual key.
That key file has to be stored on a server, same as a password. It can be copied or stolen, same as a password. If that happened, hackers would be in possession of the machine equivalent of your face or fingerprint.
What’s worse, a breach isn’t even necessary. Besides that you literally leave your fingerprints on everything you touch, researchers in Japan showed that fingerprints and facial scans can be reproduced from the standard camera phone photos you share with the world on social media, even if those photos are taken from ten feet away!
If facial recognition and fingerprint readers become very widely used, it won’t take long for hackers to automate the extraction process with AI tools, meaning anyone whose face or finger appears in an internet-accessible photo will have all their accounts simultaneously at risk.
But here’s where it really gets bad: You can’t change your biometrics.
A breached password can be updated, but once your facial recognition or fingerprint file is out in the world, you can never securely use that method again (at least not without plastic surgery).
The reverse is also a problem. Voice recognition fails when you’re congested or hoarse from illness. Phones don’t open when your face is covered by a mask or your thumb by a Band-aid.
As long as you’re willing to accept those risks, then biometrics are a fair alternative to weak or repeated passwords.
But we only use them on local devices, never remotely over the internet, and only in conjunction with passwords or 2FA.
