The age-old password rules have changed dramatically over the years and are barely relevant in the modern days, many thanks to the hackers that keep their weapon sharpened when it comes to cracking passwords.
Here are a few good readings and materials that summarize very well how to choose a good, strong and secure password in the modern world.
How Secure Your Password is?
Let’s head over to How Secure is My Password to find out.
Bruce Schneier’s Choosing a Secure Password
The article was published in 2014 but still relevant in today’s world. It lays out several studies on password strength and simply points out that
Pretty much anything that can be remembered can be cracked.
But there is still one scheme that seems to work, so called “Schneier scheme”:
So if you want your password to be hard to guess, you should choose something that this process will miss. My advice is to take a sentence and turn it into a password. Something like “This little piggy went to market” might become “tlpWENT2m”. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence – something personal.
- WIw7,mstmsritt… = When I was seven, my sister threw my stuffed rabbit in the toilet.
- Wow…doestcst = Wow, does that couch smell terrible.
- [email protected]~faaa! = Long time ago in a galaxy not far away at all.
Schneier also adds a few more rules on top of how to choose a good password:
- Never reuse a password you care about. Even if you choose a secure password, the site it’s for could leak it because of its own incompetence. You don’t want someone who gets your password for one application or site to be able to use it for another.
- Don’t bother updating your password regularly. Sites that require 90-day—or whatever—password upgrades do more harm than good. Unless you think your password might be compromised, don’t change it.
- Beware the “secret question.” You don’t want a backup system for when you forget your password to be easier to break than your password. Really, it’s smart to use a password manager. Or to write your passwords down on a piece of paper and secure that piece of paper.
- One more piece of advice: if a site offers two-factor authentication, seriously consider using it. It’s almost certainly a security improvement.
Jeff Atwood’s Password Rules are Bullshit
TL;DR: There is one rule to bring them all, and in the darkness bind them, the length. Whatever you want, just make sure it’s long enough to be a reasonable password.
- Password rules are bullshit
- They don’t work.
- They heavily penalize your ideal audience, people that use real random password generators. Hey guess what, that password randomly didn’t have a number or symbol in it. I just double checked my math textbook, and yep, it’s possible. I’m pretty sure.
- They frustrate average users, who then become uncooperative and use “creative” workarounds that make their passwords less secure.
- They are often wrong, in the sense that the rules chosen are grossly incomplete and/or insane, per the many shaming links I’ve shared above.
- Seriously, for the love of God, stop with this arbitrary password rule nonsense already. If you won’t take my word for it, read this 2016 NIST password rules recommendation. It’s right there, “no composition rules”. However, I do see one error, it should have said “no bullshit composition rules”.
- Enforce a minimum Unicode password length
- It’s simple. Users can count. Most of them, anyway.
- It works. The data shows us it works; just download any common password list of your choice and group by password length.
- The math doesn’t lie. All other things being equal, a longer password will be more random – and thus more secure – than a short password.
- Accept that even this one rule isn’t inviolate. A minimum password length of 6 on a Chinese site might be perfectly reasonable. A 20 character password can be ridiculously insecure.
- If you don’t allow (almost) every single unicode character in the password input field, you are probably doing it wrong.
- It’s a bit of an implementation detail, but make sure maximum password length is reasonable as well.
- Check for common passwords
- Check for basic entropy
- Check for special case passwords
Troy Hunt on Password Strenth Indicators
Troy uses a true sample to demonstrate why Password Strenth Indicators sometimes help people choose dumb choices, and points out that
He also suggests:
Fundamentally, it’s an education issue and the key tenets people need to understand boil down to the risks of password reuse and, of course, what genuinely constitutes a strong password.
UK NCSC’s Password Guidance
The UK NCSC (part of GCHQ – Uk equiv to NSA) published a good discussion document a while back that contains some useful password guidance that simplifies the password policy, including:
- Change all factory-set default passwords.
- Take advantage of good password manager software.
- Eliminate password expiry policy to avoid placing more burden on users.
- No sharing passwords
- Use technical controls to defend against automated guessing attacks, rather than relying on users to generate complex passwords.
- Never re-use passwords between work and home.
- Account lockout, throttling, and protective monitoring are powerful defences against brute-force attacks on enterprise systems and online services.
- Never store passwords as plain text, always hashing and salting before storing them.
Source: UK NCSC’s Password Guidance
Microsoft Password Guidance
It provides Microsoft’s recommendations for password management based on current research and lessons from their own experience as one of the largest Identity Providers in the world.
Here is some advice to IT admins:
- Maintain an 8-character minimum length requirement (and longer is not necessarily better).
- Eliminate character-composition requirements.
- Eliminate mandatory periodic password resets for user accounts.
- Ban common passwords, to keep the most vulnerable passwords out of your system.
- Educate your users not to reuse their password for non-work-related purposes.
- Enforce registration for multi-factor authentication.
- Enable risk-based multi-factor authentication challenges
Source: Microsoft Password Guidance