Why we know your password and what you can do about it
Guest Blog by John Kearney of DXW highlights top security tips for password management.
Trying to make passwords more secure can often end up having the opposite effect, for two main reasons:
- When people are faced with complex rules — at least one uppercase letter, number, symbol etc. (we’ve all been there) they will do the simplest thing possible. Most users will capitalise the first letter in their password, or all of them, and add a “1” to the end. Sound familiar?
- Complex passwords made up of random generated characters are much easier for a computer to guess than for a human to remember.
For evidence of how people choose passwords, you need look no further than the 10,000 most common passwords discovered in security breaches, as published on Github or this page on Wikipedia. As I write, the second most common password is “password”,“Password” is number 176, “password1” is at 207, “PASSWORD” is at 710, and “Password1” checks in at 2968.
In Top of the Pops fashion (for those of you who are old enough), here’s the current top 20:
As for the relative ease with which a computer can guess a random string as opposed to a well-crafted passphrase (see more on using these below), XKCD tells that story better than we could.
We don’t do what we’re told, and that can cause big problems
No matter how many times people are told never to use the same password across many sites and services, most still do just that. It’s human nature to take the quickest and easiest option, and the one that means we won’t forget our passwords and get locked out.
When dxw cyber carries out attack simulations, we search published data breaches for details of known users to help us identify the passwords they use to log into other places. When we find their passwords, we try them out against their accounts in the system we’re targeting.
During a recent attack simulation, this simple password lookup — that requires no technical skills at all — gave us access to the entire system at the highest possible level.
So what’s the good news (or help, what should I do now)?
Once you understand how people interact with a system, and the reasons why the rules don’t result in the right kind of behaviour, you can take a different approach.
Some tips for individuals
As an individual you should:
- swap passwords for passphrases: combinations of meaningful words in a string. They are easier to remember than complex character strings and, if they are long enough, harder to crack. You can generate these with online tools like this one, inspired by XKCD. We definitely recommend this approach to ensure the phrases are truly random
- use a password manager: these are applications that act like a secure vault, where you can store all your logins and passwords. Most will also generate passphrases for you when creating a new login or updating an old one. Speaking of which, you should also…
- update all your logins with randomly generated passphrases: this might take you a bit of time, but it’s worth it. Start with the most sensitive things like email, financial and medical accounts, and update the others when you use them
Some tips for businesses
As a business, you should:
- update your password policy and systems so people can use passphrases. Many policies require symbols and numbers, which do little to guarantee security (as we explained above)
- select a suitable password manager for your staff, and train them in how to use it
- once the policies and tools are in place, make sure all users update their passwords. If you have lots of users, we recommend you do this gradually
- read the National Cyber Security Centre’s guidance on updating your approach to your password policy
Finally, as an individual or a business, you should always enable two-factor authentication (2FA) when it’s available.
2FA means you need to provide two ways of proving your identity. It’s used all the time by organisations like banks, for example, to take money from a cash machine, you need the card and your PIN. To log into your online banking application, you need your account details and a one-use time-limited code, generated by a custom gadget or sent by text.
Once you’ve done all that, we probably won’t know your password (but you still need to watch out for phishing).
A passwordless future
Humans are not good at passwords, but computers are. So maybe the long-term solution is to get rid of passwords and replace them with stronger ways of proving your identity, such as passwordless “magic” links or QR codes. We also expect to see an increasing use of standards like WebAuthn, which can be used to help prove your identity at the touch of a button, while also protecting you from phishing attacks.
We’ll blog more about this soon.
P.S. If you want to hear directly from Glyn Wintle, our CTO, about all things password related, here’s his talk at Ignite London 7.
Latest News from
techUK launches "A Vision for Digital Trade" in Brussels21/02/2020 14:25:00
An overview of techUK's "A Vision for Digital Trade" report.
New £65 million pot of funding for 5G projects21/02/2020 09:38:00
Funding open accelerate the use of 5G in creative industries plus rural 5G announcements.
EU launches a bold new European Strategy for Data20/02/2020 16:05:00
Overview of the European Commission's Communication on 'A European Strategy for Data'.
EU launches digital strategy for the next five years20/02/2020 14:25:00
European Commission President, Ursula von der Leyen, has presented today the Communication “Shaping Europe’s Digital Future”, setting out EU’s digital strategy for the next five years.
The Scottish Budget: What Does It Mean for Tech?20/02/2020 10:10:00
For 2020-2021, Scotland increases investment in digital and tech innovation, infrastructure, and skills.
ECSO Cyber Investor Days20/02/2020 09:10:00
The European Cyber Security Organisation (ECSO) and the EIT Digital Accelerator have the pleasure of inviting you to the Brussels edition of the Cyber Investor Days scheduled on 13-14 May 2020 in Belgian capital.
The UK’s Points-Based Immigration System19/02/2020 16:20:00
Julian David, techUK's CEO, comments on the Government's Policy Statement on the UK’s future points-based immigration system and what it means for the tech sector.
European Commission publish AI White Paper19/02/2020 15:25:00
Today in Brussels the European Commission has published its ‘White Paper on Artificial Intelligence- A European approach to excellence and trust’ (with accompanying Liability Report).
Apply for the Artificial Intelligence in Health and Care Award19/02/2020 12:10:00
The £250m NHS Artificial Intelligence Lab, designed to boost artificial intelligence in solving some of the biggest challenges in the NHS, is underway. Within this remit, NHSX, the Accelerated Access Collaborative (AAC), and the National Institute for Health Research (NIHR), are running an AI Award scheme worth £140 million to accelerate the testing and evaluation of the most promising AI technologies.