The report is indeed interesting: mathematically modelling the difficulty of remembering complex passwords and optimizing the relationship between expected loss resulting from a breached account and the complexity of passwords.
The net finding is that humans have limitations on how much they can remember, and that is at odds with the current guidance of using a strong, unique password for each account. The suggestion is that accounts should be grouped by loss characteristics, with those accounts that have the highest loss potential getting the strongest password, and the least important having something like “123456”.
The findings of the report are certainly interesting, however there seem to be a number of practical elements not considered, such as:
- The paper seems focused on the realm of “personal use” passwords, however many people have to worry about both passwords for personal use and for “work” use.
- Passwords used for one’s job usually have to be changed every 90 days, and are expected to be among the most secure passwords a person would use.
- People generally do not invest much intellectual energy into segmenting accounts into high risk/low risk when creating passwords. Often, password creation is done on the fly and stands in the way of some larger, short term objective, such as ordering flowers or getting logged in to send an urgent email to the boss.
- The loss potential of a given account is not always obvious.
- The loss potential of a given account likely does not remain constant over time.
- There are many different minimum password requirements across different services that probably work against the idea of using simple passwords on less important sites. For example, I have a financial account that does not permit letters in the password, and I have created accounts on trivial web forums that require at least 8 character passwords, with complexity requirements.
It’s disappointing that password managers were dismissed by the report authors as too risky because they represent a concentration of passwords which could itself fall victim to password guessing attacks, when hosted “in the cloud”, leading to the loss of all passwords. Password managers seem to me as the only viable alternative to managing the proliferation of passwords many of us need to contend with. Using password managers removes the need to consider the relative importance of a new service and can create random, arbitrarily long and complex passwords on the fly, without needing to worry about trying to remember them – for either important or unimportant accounts.
Now, not all password managers are created equally. We recently saw a flurry of serious issues with online password managers. Certainly diligence is required when picking a password manager, and that is certainly not a simple task for most people. However, I would prefer to see a discussion on how to educate people on rating password managers than encouraging them to use trivial passwords in certain circumstances.
I don’t mean to be overly critical of the report. I see some practical use for this research by organizations when considering their password strategies. Specifically, it’s not reasonable to expect employees to pick strong passwords for a business-related of accounts and then not write them down, record them somewhere, or create a predictable system of passwords. It gets worse when those employees are also expected to change their passwords every 90 days and to use different passwords on different systems. Finally, those same employees are also having to remember “strong” passwords for some number of personal accounts which adds more complexity to remembering more strong passwords.
In short, I think that this report highlights the importance of using password managers, both for business and for personal purposes. And yes, I am ignoring multi-factor authentication schemes which, if implemented properly, would be a superior solution.