We’re doing passwords wrong!

You suspected it all along, and now it’s official: the “experts” have been forcing us to use passwords the wrong way. Among those practices that actually decrease security: adding weird characters to your text-based password, forcing people to change their password after a certain number of days or logins. The revelation comes from a recent document from NIST. Now there’s only hope that Government websites will start adopting the new guidelines (they’re the worst perpetrators).

In this article, I am repeating much of what I already said in this other article, but with less technical jargon and a few more months available for testing.

Here’s a few articles that tell you all about it, (thanks to Bruce Schneier for the links):

The new NIST standard (long): http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63-3.pdf

Why password complexity rules are bad:
https://www.wsj.com/articles/the-man-who-wrote-those-password-rules-has-a-new-tip-n3v-r-m1-d-1502124118 (link behind paywall)

Why password expiration is bad:
https://securingthehuman.sans.org/blog/2017/03/23/time-for-password-expiration-to-die

Stop trying to fix the user:
http://ieeexplore.ieee.org/document/7676198/

Short summary: Complicating your password with alternative characters won’t help because hackers are already testing all variations that you are likely to remember, and they do it to the tune of billions per second. Forcing you to change a password that hasn’t been compromised is as foolish as asking you to write it somewhere in order to have any hope of remembering it afterwards. Instead, do two-factor authentication or use a password manager.

But let’s say you don’t want to do two-factor or it simply isn’t available for the website you want to log into. Let’s say you are concerned about having a browser extension looking at everything you type for the sake of saving your passwords somewhere. Is there a way to get decent security?

Yes, says security expert Manuel Bloom, who proposes that instead we compute a password based on the website name, or whatever, using this process. Because Blum’s process is rather long, I came up with a simpler alternative, as explained in this article. The idea was to make two random-looking mixed alphabets from an easily retrievable piece of text (so you can re-generate them if necessary), and write them at the top and side of a Tabula Recta, as in the picture. Then, for each website you need to log into, do this to come up with the password:

  1. Take the name of the website (or whatever string you decide is representative of it; if it is less than seven characters long, you may want to keep the .com, etc.) and look up the first letter at the top, then down that column until you find the last letter (it’s probably easier to look for the second letter, but the article I wrote back then said the last letter), then off to the side to read the first output letter.
  2. Now repeat the process above with the second letter in the name, going down until you find the first letter of the output, in order to find the second output letter. Then take the third name letter and go down to the second output letter, and so on until you run out of letters in the name. The output is your password.
  3. If the website requires numbers or special characters, add those at the end. It’s okay to use always the same set of those, since they don’t really add any security.

Now, this still takes some time to compute, but if you have a password manager you can go ahead and tell it to remember it, knowing that you’ll be able to reconstruct the unique password for that website in about a minute in case the manager loses it. If this is a website that forces you to change your password to something you’ve never used before (I’m looking at you, .gov websites), one easy thing to do is change the first letter to the next in the alphabet, which will cause the output to be completely different; just keep track of how many times they forced you to come up with a new password.

Best thing about the scheme is that you don’t have to memorize anything. The only requirement is a little piece of paper that you can carry in your wallet—and which you won’t have to use very often, either; think of it as a master key.

Update: It’s been almost a year since I wrote this, and it struck me all of a sudden that this strategy would work wonderfully with a computer helping you to run the calculations, and in fact could go far beyond what you can do in terms of security and ease of use. The result is SynthPass, a free extension for Chrome and Firefox that I have just released into the respective web stores. Here’s the blog post talking about it.

One thought to “We’re doing passwords wrong!”

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.