Your Password Sucks and it's Not Your Fault

Unless you're a dev. Then it's your fault.

Bot Loves Coffee
, in 28 July 2017

Your password is bad.

Don’t beat yourself up about it too much, almost everyone’s password is bad. It’s actually really hard to make them good. In order to know if your password is good, I’ve built a simple checklist. If your password is good you should be able to answer “yes” to the following three questions.

  1. Is my password easy to remember?
  2. Is my password hard to guess?
  3. Is my password unique? (e.g. Am I reusing this password?)

I believe with the password complexity requirements many websites attempt to force on us, most of your passwords are hard to remember, easy to guess, and you’re reusing the same password for multiple accounts. But the game is rigged against you, and the seemingly simple password ends up being shockingly difficult to get right.

But before we go into why that is, here’s a brief history of the humble password that might explain how it came to be the ubiquitous pain in the butt it is today.

Humble Beginnings

As recent as passwords seem, they were actually invented over a half-century ago in 1961 at MIT. A Compatible Time-Sharing System (an early computer) was created. Due to its cost, it was shared by several researchers. In order to keep files private between different users, a password for each user was used as a lock. Since there was a time limit of four hours imposed to ensure no one hogged too much computing time, this also served the function of limiting computer use without having to spend a massive amount of effort monitoring when researchers came and went.

The first theft of passwords occurred the very next year in 1962. Allan Scherr, a researcher at the university, printed out all the passwords stored in the computer. Due to inadequate file protections, the researcher was able to access the file holding all of the passwords on the system, easily allowing him to spend more than the four hours users were limited to by accessing other accounts. Stop to think about that. Just a year into the password’s history and it was already proving inadequate.

That said, operating systems have become a lot more complex than that, and modern file system permission models make stealing passwords a lot more difficult. Even if you could access the file containing the passwords, making that data useful to you by accessing the plain password is made more difficult with hashing, salting and encryption techniques.

When passwords don’t work

Passwords were invented at a very low-stakes time in computing. Machines weren’t networked around the world. The amount of personal information you stored on the internet was next to nil. Passwords made it a bit more difficult to get at this not-particularly valuable information, meaning they essentially served their purpose. If something isn’t very important, your defense can be pretty lazy. I don’t want anyone eating my lunch, but I don’t put my tupperware in a lockbox. I just put it in the work fridge like everyone else, with my name in sharpie and social shame the only thing between me and a hungry afternoon. That’s just how things work when the stakes are low.

Now, passwords are many times the only line of defense between modern cyber-criminals and social lives and bank accounts. Almost everything that is important to us, from memories to money is backed up on someone else’s server. This increase in incentive to steal or guess passwords has not been matched by corresponding innovation to make that more difficult.

Stealing passwords has been big business for years now. So what have the good guys come up with?

Make passwords hard

“Well” You might say, “We could just make them hard to guess. Stuff like ‘password’ is way too easy. What if we start putting numbers in here? Or special characters? And what if we code it so there can’t be a dictionary word in it!”. By the way, you’re a developer in this hypothetical scenario. Sorry it has to be like this.

Anyway, you come up with this awesome plan. Just force the passwords to be complex and difficult for an attacker to guess. Make sure Joe Schmo trying to register with your application can try to set his password to ‘hansolo’ as many times as he wants, but you will continue to reject it until he comes up with something like #1SjjukZ%.

There’s only one problem: #1SjjukZ% sucks too. In fact, it might be worse.

First of all, this is almost impossible to remember. As human beings, we manage to remember all sorts of stuff that’s pretty arbitrary (See: standardized tests). So if you put your mind to it, you will start to remember #1SjjukZ% without writing it down. However, most of us have accounts on about 15-20 different services at the minimum. Facebook, Bank Account, Netflix, Spotify, Uber, Student Loans, and so on and so forth. So are you going to memorize the entire list? Can you keep in mind:

Of course not. You’ve got better things to remember, like the first verse of Hey Ya! or your girlfriend’s birthday. But these sites won’t take just any password! So what you do?

You give up. You throw your hands up, bite the bullet, commit #1SjjukZ% to memory and use the same password for as many accounts as possible. And that’s a bigger deal than you think.

Relative Security

On the one hand, you imagine it can’t be too bad. If Facebook experiences a massive data breach tomorrow and loses everyone’s passwords, you can expect to be notified pretty quick. And once you know, you can go ahead and change your password. Sure, it sucks to do it on all 20 services, but that’s not critical.

But not every organization is Facebook. At some point you’re going to create an account for some throwaway service - some news site you can’t read until you make an account, or some shopping site that’s shipping an album you really want to hear. You will make an account and use your one password out of habit.

These smaller organizations now also have your password. If they’re compromised, they might not even know they were compromised. They might not tell any of their customers. One of their underpaid database administrators may just decide to steal your password because they can. And because almost all sites now use the email address and password to log into every account, anyone laying their hands on your one password is now effectively you. All because you didn’t want to remember 20+ nonsense phrases to be able to use the internet.

Okay, so how do I pick a good password?

There’s actually a pretty solid xkcd comic about this. So I’m not going to pretend these are completely original thoughts on the topic. You just need a memorable phrase. Usually it’s just a series of different words that can be placed into a phrase together. Try DivingSwallowLovesHamburgers. Or PompousSwallowHatesCheese. You can also choose phrases that have nothing to do with swallows.

I couldn’t possibly remember 20 of those! Now I feel like picking a good password is a sisyphean task and I am upset. Why did I read this?

Well, there’s one option I can vouch for personally. You can use a password manager!

Password manager’s provide your own personal store of passwords. You yourself come up with a master password that lets you get into your password manager. The password manager then keeps your actual usernames and passwords stored inside. They also can make passwords for you. You can say “Hey, I want a password with 15 characters, uppercase characters, numbers and special characters” and your password manager will go “Hey man, sounds good. How’s “SKT&P@YtS4XEwRp” sound?”

Then, any time you log into an online service, you can just copy and paste the password.

Now, this presents an obvious issue. If someone only needs to find one username and password to get at all of your accounts, isn’t that dangerous? Well, it’s up to you to pick a strong master password. But it’s pretty easy to use the guidelines outlined in that xkcd comic to come up with a pretty hard to guess password. For example, I used StudyInScarletIsReadByHarlets for a long time (as one of my favorite books, it was hard to forget). Hats off to the bot that figures that one out. If you’re really paranoid, you can use a password manager that isn’t cloud based, like KeePass. The downside is you won’t be able to use access these passwords on your mobile device. But for passwords you need only in one context (work), it’s a great program. In addition, you can put your KeePass database on a flash drive and use it in multiple contexts that way. Just keep in mind it won’t sync.

I’m personally satisfied with LastPass. It’s free, I can access it from my iPhone and it actually has a decent native Mac application. They have had some security issues in the past, but the developers have fixed them fairly quickly and with enough transprency that I personally am still comfortable with the work they’re doing.

What have we come up with besides passwords?

Two-factor authentication is huge as well. Most sites guarding valuable data will give you the opprotunity to use two-factor authentication. Two-factor doesn’t mean having two or more passwords, like some bank sites enforce. Instead, it means a combination of “something you know” and “something you have”.

“Something you know”, in this case, is the password. “Something you have” can change depending on the context. The most common and easiest to integrate into your usual behavior is a text message. After entering your password, the website will send you a text with a code. The phone is something you have, and after you enter the code into the website you’re granted access.

This has the advantage of warning you of a compromise if someone gets your password. Assuming an attacker were to guess your password, you will receive a text to your phone and instantly know someone is trying to access your account without your permission. It’s a good clue to change your password, and a much better one than finding out you’ve been sending spam to your Facebook friends or funneling money out of your bank account.

Personally I have two-factor enabled on all of my important accounts. I promise it’s not much of a hassle once you get used to it. You probably already have your phone on you all the time, so why not use it for security? That said, there are some real dangers of text hijacking if you use SMS two factor. A better option is using an authenticator app, like Authy or Google Authenticator. Authenticator apps deserve a longer explanation, but you should read it from the profs over at Duo.

In closing

If this article did its job, you should be feeling a little uncomfortable. If it really did the job, you’ll go set up an account with LastPass and change your Facebook password before a hacker does it for you.