Should websites do more to encourage better passwords?
Passwords are often the most visible tool in the cybersecurity armory, but year after year it emerges that most of our passwords are utterly dismal.
Indeed, the likes of “qwerty” and “123456” are enduringly popular, with data from our latest research showing that 2022 is no exception. Even when we graduate from these absurdly simplistic passwords, their replacements are often no better, with Game of Thrones star Diana Rigg famously saying to have used “F*** off” as her password.
Whenever these kinds of stories are shared, there is a clear sense of blame towards users for not using more effective passwords. If they were only more security-savvy, they would not suffer from the wave of cyberattacks seen during the Covid pandemic.
While there is undoubtedly an element of truth to this, the very fact that the awful identified passwords continue to be among the most popular year after year suggests that the message about increasing password sophistication is not getting through.
Encouraging better cyber hygiene
Instead, the likely solution to the poor passwords people continue to use is for websites and service providers to take more of the onus upon themselves to help and enforce better digital hygiene among users. While a growing number of websites provide visual indicators of how secure our passwords are, the continued use of extremely simple and easy to crack passwords suggests that much more needs to be done, even if this means the prevention of such easy-to-crack passwords altogether.
The reality is that there is tremendous variation across the sector, with some websites accepting any old password, some indicating how secure a password is without really providing guidance on what “good” looks like, and others mandating the use of more secure password types.
At the moment, it’s too easy for website owners to pass the buck onto users while at the same time readily accepting the likes of “password” as someone’s entry into their system.
The evidence from the last twenty years clearly shows that if you’re happy to allow people to make bad choices, then they will continue to do so. A better approach is to mandate the use of effective passwords, with a blacklist of the kind of common yet highly insecure passwords identified in our research, which are forbidden from use.
Many websites may believe they’re doing this, with common practice advising users to select passwords containing a mixture of upper and lower case letters, punctuation symbols, and numbers, for instance, yet advice from organizations such as the National Institute for Standards and Technology (NIST) suggests these kinds of prompts should no longer be used as they aren’t as secure as we think they are.
Indeed, the official advice from organizations such as NIST is that password length is often far more important than complexity. This is because the longer the password, the more difficult it is for hackers to crack it via a brute force attack, which involves trying every combination of letters, numbers, and symbols possible until they find a match for your password. What’s more, they also believe that less complex passwords are often much easier to remember, and with many of us re-using the same password on multiple services, this can be crucial.
Despite these recommendations, however, many websites continue to prefer complexity rather than length when it comes to passwords. Some even go as far as preventing very long passwords by imposing an upper character limit.
While it’s very tempting to think that users are only putting themselves at risk by deploying poor cyber hygiene and that any attempts to change that is excessively paternalistic, this line of thinking is muddled, not least in a GDPR era that requires organizations to protect users’ personal data as robustly as possible.
What’s more, attackers can often use the cracking of a single user’s account as a beachhead. They can try and exploit other potential weaknesses in the system and gain much more harmful control over your system. It’s nonsensical to brush aside any breach of your network, no matter how small, especially as it’s something that could be prevented so very easily.
While there is undoubtedly a move towards more passwordless authentication systems, the humble password is unlikely to go anywhere anytime soon. Indeed, the death of passwords has been an almost annual prediction for over a decade now, yet it still remains the bedrock of our digital security. As such, we have a collective responsibility to help ensure that we get the basics of digital hygiene right rather than passing all of the blame onto users.