We’ve all heard that in order to protect our information and online accounts we need to create complex passwords with uppercase and lowercase letters, numbers, and special characters, right? Following such advice, does, in theory, produce passwords that are difficult to be hacked. Reality, however, tells us that while complex passwords provide better security, they also create new kinds of risks.
First, due to the limitations of human memory, complex passwords are more likely to be written down than familiar, easily-remembered passwords. This means that utilizing complex passwords increases the risk of passwords being exposed through insecure storage. People who don’t write down their passwords risk forgetting a complex password and having to go through a frustrating process of resetting it.
Storing complex passwords in a smartphone app is not an ironclad solution either. Password storage apps place numerous pieces of sensitive information in one place, and as a result, must be properly secured. Properly protecting the app and the data that it stores can make looking up a password an infuriating process involving entering long, complex passwords and waiting for various decryption functions to run. Of course, if such an app — or the phone itself — were ever infected with malware, the impact could be devastating.
In addition to the risks created by memory limitations, there is a major concern about how strong the complex passwords truly are, and how well they stand up to hacking tools. Research shows that the actual security provided by complex passwords is often far less than one would expect based on the password’s theoretical strengths. One major issue with complex passwords was published last year by a research team from Carnegie Mellon University, which explained that predictable human tendencies often dramatically undermine the strength of complex passwords.
For example, on systems that require passwords to include both upper and lowercase characters as well as a number, a widely disproportionate number of passwords created will follow such pattern: an uppercase character followed by lowercase characters, and then ended with a single digit. Similarly, the researchers found that when people are required to create long passwords, they often repeat a short password twice. As a result of these human tendencies, password cracking is easier than ever.
So how should you best address these issues?
I wrote a blog on passwords a couple of months ago discussing this very topic after The National Institute of Standards and Technology (NIST) had issued new guidelines regarding secure passwords. The 3 guidelines were (and please refer to the previous password blog for more detail):
1. Remove periodic password change requirements.
2. Drop the algorithmic complexity song and dance.
3. Require screening of new passwords against lists of commonly used or compromised passwords.
Hopefully this helps! I know at the very least it should get you thinking about doing more to protect yourself in the password arena. I know it helped me and got me thinking smarter.
Please contact us for any questions you may have on password screening! We’re happy to help and point you toward software that can make this process simpler.