Few things are as central to the concept of security as passwords. Guarded by those who have them, coveted by those who want them, passwords are the keys to the proverbial kingdom. The kingdom in this case being the ever-expanding range of online services we use in our daily lives.

Passwords unlock services that help us to store and share our personal data, business information and in some cases our financial details. Not surprisingly then, good password practice figures heavily in security awareness training programmes and in general security advice. But persuading people to use safer, stronger and more secure passwords has always been a challenge for security professionals.

Passwords then and now

Looking back through our blog archive, we found a post citing research from 2014, where the ten most common passwords were: 123456, password, 12345, 12345678, qwerty, 123456789, 1234, 1234567, letmein, and abc123.

Now let’s compare that to Microsoft’s latest research which revealed the top 10 passwords used in guessing attacks. They were: 123456, password, 000000, 1qaz2wsx, a123456, abc123, abcd1234, 1234qwer, qwe123, and 123qwe. There’s some obvious overlap; but the common pattern we see across both sets is that they show how people will often pick convenience over security. The problem is, choosing passwords that are easy to remember also makes them easier for an attacker to guess.

It’s the security team’s job to educate end users about good password practice. But as technology has evolved, so has the advice about passwords. Confusingly for many people, much of the thinking about passwords hasn’t just evolved; now it contradicts what we thought we already knew.

(Good) practice makes (not so) perfect

Much of what passed for good password practice dates back to NIST guidance that came out in 2003. It encouraged creating passwords using a minimum of seven characters, combining numbers, capital letters and special characters. It also recommended changing passwords every 90 days. There was just one problem with this advice: it was terrible.

As if to prove hindsight is the only perfect science, the writer Bill Burr later changed his mind. Granted, it only took him 14 years, but still. As Brian Honan blogged at the time, Burr’s original advice turned out to be hugely counterproductive.

“Many of the tips Burr shared in 2003 ended up making us less secure because many people fell into using combinations of numbers and words that attackers and their algorithms found easy to guess.  When prompted to add a special character to a password, many people simply add an exclamation mark or @ symbol. Being forced to change passwords regularly just enforced bad habits, such as simply adding a number or character to an existing password.”

Recycle where possible – except your passwords

Instead, Brian recommended not using the same login details on multiple websites or online services. Using the same one over and over again puts us at risk if attackers compromised any one of those sites. They could then use those same credentials to access other services.

It turns out that’s exactly what Microsoft discovered. It analysed the seven most common ways that attackers break into accounts. In the most frequently used attack, called credential stuffing, a password’s length is irrelevant since attackers already have the password. They get it from data they obtained from other breached sites and they just test for matches. What they’re really relying on is the very human tendency to reuse the same password on more than one account.

Scroll down through the list of attacks in Microsoft’s list: phishing, keystroke logging, local discovery, extortion, password spray, and brute force. The same pattern recurs.

Password length ≠ strength

In fact, Microsoft’s research into passwords uncovered a surprising and unexpected conclusion. “When it comes to composition and length, your password (mostly) doesn’t matter,” wrote Alex Weinert of Microsoft’s Identity Division in a blog post. This finding defies accepted security wisdom that passwords with more characters are harder for an attacker to guess.

“Only in password spray and cracking attacks does the password have any bearing at all on the attack vector”, said Weinert. In other words, longer does not mean stronger. Or if you’re refreshing a security awareness programme, you could have some fun by telling people size doesn’t matter.

Bad jokes aside, for security professionals, this finding is too big to ignore given the source. Microsoft is one of the world’s largest identity providers. Through its online services like Azure Active Directory and Office365, it sees more than 10 million attacks against username/password pairs on a daily basis. So, when it comes to supporting its conclusions with hard facts, it’s got data to spare.

Don’t coin a phrase  

It suggests that the advice to use passphrases instead of passwords is also obsolete. What’s clear is that it’s yet another nail in the coffin of the password. Slowly but surely, multi-factor authentication is gaining traction. If your organisation isn’t set up to allow this, now is a good time for a fresh look at your password advice to ensure it’s up to date.

One last shout-out to our extensive blog archive: we revisited the password debate again in late 2017 and this advice still holds up.

  • Include senior staff in security awareness training initiatives
  • Keep regular contact between the security team and the users to ensure the correct security controls are in place to support the business need
  • Update employees regularly about the latest security threats, the measures in place to protect them, and why it’s important to adhere to security policies

We encourage regular security awareness training rather than once-off efforts. When the threat environment evolves, that’s the best guarantee to avoid any security advice from going stale.