The Origin of Current Password Creation Guidance
The complexity of current passwords largely stems back to an eight page document authored by a manager in the National Institute of Standards and Technology – the document “NIST Special Publication 800-63. Appendix A” advised that “passwords should contain irregular capitalisation, special characters and at least one number” It also indicated that passwords should be changed regularly, at least every 90 days.
This advice changed slightly over the years, with it eventually landing on choose a word and then swap letters for numbers, add some digits to the end or the start and throw in a few special characters for good measure. All that we have done is made it hard for people to remember passwords and easy for computers to guess them
Whilst this advice was reasonable based on the computing power of the time, technology has marched on and passwords created using these techniques, such as “D1seng4g358!” (Disengage) can be cracked by brute force, on a standard desktop computer in about 3 days.
The author of what was considered the de-facto guide to passwords now says that he regrets the advice:
“Much of what I did I now regret … In the end, it was probably too complicated for a lot of folks to understand very well, and the truth is, it was barking up the wrong tree.”
Government Guidance
Both UK and US govermental guidance from the Centre for Protection of National Infrastructure (CPNI – UK) and the National Institute of Standards and Technology (NIST – US) have updated their guidance on password usage and they share the majority of recommendations.
One of the most recognisable departures from their previous guidelines is password expiry. Both organisations now recommend that passwords do not expire but that they are changed when there is evidence that account has been or may have been compromised.
How Your Passwords Get Discovered
There are several ways that passwords get exposed and compromised –
- Social Engineering – tricking users into devulging their passwords
- Manual Guesswork – Using information about the user to manually guess likely passwords
- Interception – Intercepting passwords that are sent in plain text by email or by post
- Stolen – A significant number of people use the same password in multiple places, if one of these is compromised (TalkTalk, Yahoo, AshleyMadison etc.) then their password can be retrieved
- Shoulder Surfing – As simple as someone looking over your shoulder (in person or via a camera) when you are entering your password
- Keyloggers – A hardware or software device that is attached or installed on your computer that stores every keystroke entered which is sent to a remote system or retrieved later
- Automated Guesswork – using a computer (or multiple computers) that guess passwords thousands of times per second.
- Searching – If a 3rd party has physical access to where a user works, they can often find clues to the users password, or even the password itself written down somewhere, often nearby.
Alternatively, your password doesn’t need to be compromised if you have chosen a weak password to begin with.
Top 25 Passwords In Use By Year (that you should never use)
Rank | 2011 | 2012 | 2013 | 2014 | 2015 | 2016 |
---|---|---|---|---|---|---|
1 | password | password | 123456 | 123456 | 123456 | 123456 |
2 | 123456 | 123456 | password | password | password | password |
3 | 12345678 | 12345678 | 12345678 | 12345 | 12345678 | 12345 |
4 | qwerty | abc123 | qwerty | 12345678 | qwerty | 12345678 |
5 | abc123 | qwerty | abc123 | qwerty | 12345 | football |
6 | monkey | monkey | 123456789 | 123456789 | 123456789 | qwerty |
7 | 1234567 | letmein | 111111 | 1234 | football | 1234567890 |
8 | letmein | dragon | 1234567 | baseball | 1234 | 1234567 |
9 | trustno1 | 111111 | iloveyou | dragon | 1234567 | princess |
10 | dragon | baseball | adobe123 | football | baseball | 1234 |
11 | baseball | iloveyou | 123123 | 1234567 | welcome | login |
12 | 111111 | trustno1 | admin | monkey | 1234567890 | welcome |
13 | iloveyou | 1234567 | 1234567890 | letmein | abc123 | solo |
14 | master | sunshine | letmein | abc123 | 111111 | abc123 |
15 | sunshine | master | photoshop | 111111 | 1qaz2wsx | admin |
16 | ashley | 123123 | 1234 | mustang | dragon | 121212 |
17 | bailey | welcome | monkey | access | master | flower |
18 | passw0rd | shadow | shadow | shadow | monkey | passw0rd |
19 | shadow | ashley | sunshine | master | letmein | dragon |
20 | 123123 | football | 12345 | michael | login | sunshine |
21 | 654321 | jesus | password1 | superman | princess | master |
22 | superman | michael | princess | 696969 | qwertyuiop | hottie |
23 | qazwsx | ninja | azerty | 123123 | solo | loveme |
24 | michael | mustang | trustno1 | batman | passw0rd | zaq1zaq1 |
25 | Football | password1 | 0 | trustno1 | starwars | password1 |
What to do about passwords – our top tips
- Long pass phrases are better than strong shorter passwords
- Change your passwords if you think they have been compromised
- Don’t use the same password everywhere
- Change any default passwords
- Allow users to securely record and store their passwords
- Don’t allow password sharing
- Use machine assisted password generation
- Use accound lockouts and monitor for unusual activity
- Don’t store passwords as plain text
- Password managers can help but should be treated with caution