During my daily reading today, I found this article titled Why changing passwords isn’t the answer to a data breach. The post brings up a good point: breached organizations would serve their customers or users better if they gave more useful guidance after a breach, rather than just “change your passwords”. The idea presented by the author is providing recommendations on how to pick a strong password, rather than simply changing it.
I think the author missed an important point though: it’s proving to be a bad idea to use the same password on different sites, no matter the strength of the password. Possibly if customers or users had an indication of how the passwords were stored on a given site or service, they could make a judgement call of whether to use their strong password or to create a separate password for that site alone. However, that’s not the world we live in. We don’t normally get to know that the site we just signed up for stores passwords in plain text or as an md5 hash with no salt.
Passwords should be strong AND unique across sites, but those goals are seemingly at odds. The passwords we see in password dumps are short and trivial for a reason: they are easy to remember! If we want someone to create a password like this: co%rre£ctho^rseba&tteryst(aple, we have to accept that the average person is either not going to do it because it’s too hard to remember, or if they can remember it, that’ll be their password across sites – until, of course, they hit on a site that won’t accept certain characters.
While the “best” answer is some form of multi-factor authentication, though it is by no means perfect. The major problem with multi-factor authentication is that the services we use have to support it. The next best thing is a password manager. Password managers let users create a strong and unique password for each service and doesn’t require the person to remember multiple hard to crack passwords. Certainly password managers are not perfect, and the good ones tend not to be free, either.
So, I would really like to hear a breached organization who lost a password database to give encourage impacted users to use a strong, unique passwords on each site and to use a password manager.
Maybe we could see companies buying a year of 1Password or Lastpass* for affected customers rather than a year of credit monitoring.
One last thing that I want to mention: I hear time and again about how bad of an idea it is to pick a passphrase than consists of a series of memorable words, like “correcthorsebatterystaple” as presented in XKCD. I’ve heard many hypotheses of why this is a bad idea, and the author points out that hashcat can make quick work of such a password. However, this kind of idea is at the center of a password scheme called “Diceware”. Diceware creates a password by rolling some dice to lookup a sequence of words in a dictionary. It’s not tough to think that “correcthorsebatterystaple” could be the output of Diceware. However, Diceware is indeed quite secure. The trap I see most people fall into when disputing the approach is focusing on the number of words in the passphrase and intuition sensibly telling us that there are not all that many ways to arrange 3 or 4 words. However, when you consider it mathematically, you realize the individual words should be thought of as just a character – a character in a very large set. Consider that a 12 character password using a normal character set has 2^95 (~3×10^102) combinations. A Diceware password with 4 words, using a dictionary of 7776 words, has 4^7776 (~4×10^4681) combinations. Hopefully this will put the correcthorsebatterystaple story in a better light.
* yes, I’m aware Lastpass just announced some vulnerabilities.