Passwords: Best Practices

Password best practices and recommendations are always evolving when new threats and data emerge. Let's go through what the you should be doing now to be safe

Recently, recommendations on choosing passwords have changed. No longer is it the best plan to change passwords often, nor is it always best to use unique passwords in every case. Like all technology, these recommendations change as new threats and data emerge. There are steps that both users and those that set a password policy can do to improve. But let’s start by reviewing what used to be the best suggestions.

Historically, users were all told to have long, complicated passwords, change them often, and only use one per account. This has led to a long list of hard-to-remember passwords that are near impossible to recall. Typically, this results in users having one password or only a few passwords that they use with many accounts. This practice is dangerous because if one account is breached, many other account passwords are also compromised.  

Another common point is that users are required to change their password often - sometimes every couple of weeks. Frequently, users will set a password, then change it only slightly when forced to update it. However, this technique still doesn’t help with password guessing programs, especially at scale. Instead, it creates a significant headache for users having to remember new passwords always.  

One last common suggestion is that user passwords should be long and complex. While it’s been suggested that users try and use phrases or combined words to create a password, evidence has shown that few users actually follow this technique correctly, according to a paper published by Microsoft Research and Carleton University. What’s worse is that these suggestions don’t help prevent password loss, so the recommendations have changed.  

Historically, longer and more complex passwords have been a key recommendation for security. However, these increased requirements often make passwords harder to remember and offer little benefit because programs that attempt to guess or brute force passwords will eventually guess a longer password assuming there are no other mitigating factors. Users can be allowed to choose a smaller password if other methods like those below are used.

Even Microsoft, who initially recommended frequent password changes, now no longer recommending forcing any password expiration. Instead, password security is better serviced by enabling multifactor authentication. Multifactor authentication is a process where users are confirmed by what they know (their password) and in some other way, like via a code sent to them by text or with a hardware token. This process firmly ensures that the person logging in is the actual user, not someone who’s stolen or guessed a password. Implemented properly, multifactor can reduce a user’s workflow and provide great confidence that the person logging in is legitimate. Even in the example where a user’s password is stolen by someone looking over their shoulder when typing it in, when the other party goes to log into the account, then the real account owner will still get a multifactor challenge during the login process, which all prevents the incorrect person from accessing their account. This method can also even prevent passwords from being used even if stolen by malware or a keylogger on the end-user computer. However, there are also other ways to protect user accounts.

One way to protect against password guessing tools is via account lockout. At the most simple, this process disables an account after it’s attempted a certain number of times, thereby preventing someone else from simply trying all passwords to guess the correct one eventually. Account lockouts need to be implemented carefully. There’s a considerable amount of lost time if a user locks their account and cannot access resources without contacting support. A middle-ground for this option is to lockout an account for a period of time after so many incorrect attempts. This change increases the amount of time it takes for someone to brute force a password yet gives a legitimate user a way back in without placing an undue burden on them or support staff. An alternative way to prevent someone from guessing passwords is to incrementally increase the delay between which logins can be attempted. For instance, wait 1 second after the first failed attempt, 2 seconds after the second, then 4, etc. This exponential increase can make it quickly ineffective for a program to attempt to brute force a specific user account.  

Next, recommendations have also shifted about password reuse. This change in thinking came about when looking at a user’s time and effort required to maintain their passwords. There’s a real cost associated with password management, and specific recommendations do not seem to have significant value, such as requiring never to reuse passwords. Again, based on this Microsoft Research paper, there may be a benefit to having low-value accounts sharing the same password, as by doing so, users can better remember the now fewer passwords they need. One example had users tier their accounts as follows: 1) inconsequential, 2) inconvenient, and 3) major. If an inconsequential site were to be compromised, the cost to the user would be minimal. Care would need to be taken to still have separate passwords for the higher-value “major” accounts, but this one step could drastically lower a user’s overall password list. As an example, say a user has 100 different passwords. Of these, 80 are of inconsequential importance: rarely-used blogging sites, pizza ordering webpages, and shopping sites. The other 20 are a mix of inconvenient and major classifications. Let’s say that the person uses a mix of 5 passwords to cover all 80 of these websites. Even if the user was to still use a single password for those other 20 high-value accounts, they only need to recall 25 passwords instead of 100. Taking that a step further, assume that only 5 sites are of major classification, and those each need an individual password. For the remaining 15 inconvenient sites, use 1 password per 5 sites. This further reduces the total number of passwords from 100 down to just 5 + 3 + 1 = 9 passwords. Classification and intelligent reuse of passwords can improve past password recommendations, both from a security and user perspective.

Lastly, it’s very important that end-user machines are protected. One of the most comprehensive ways to steal passwords is by compromising the end-user computer. This attack can happen in a variety of ways. Users can accidentally download and install a malicious piece of software, inadvertently introducing a keylogger to their computer. A keylogger can effectively capture all user passwords as they’re typed in, regardless of complexity or lack of reuse. Up to date antivirus software and malware protection is essential to prevent this type of password loss. Additionally, a user’s computer can be exploited via a security hole; this type of issue typically occurs when systems are not kept up to date or patched often. For example, Windows releases patches weekly to help mitigate security issues, and these should be installed promptly to keep computers as secure as possible.  

Password policies and decisions need to be kept up to date as information and best practices change over time. The old adage of “change your password often” is no longer viable, and in many cases, is harmful to users and their accounts now. Also, the past recommendation of having a password for every website and account is outdated and not practical. Instead, using better processes like multifactor authentication, judicious password reuse, software updates, and antivirus software is a much better way to protect accounts and make password management more effortless.

Check out our services: