Password Security
Is password security a thing of the past? Not yet. But I do believe that too much emphasis is being put on creating and constantly changing our ever complex account passwords. Here’s an example. In order to check the amount of available leave time I have at my job, I have to enter a site code, an institution code, a password that must be changed every 6 weeks, an employee code, and then my password again. All to see that I have 25 available hours.
Isn’t that just a bit much? I mean, my bank doesn’t employ that level of security to access my deposits, savings, and retirement accounts. Why the overkill for substantially less valuable information?
The tech world has gotten out of hand. From creating ridiculously complex passwords that no one can remember to changing your password so often that you have to keep a list of what you’ve previously used, IT departments are making people crazy. And if you believe the studies that are coming out, they are doing so for no reason.
One of the most comprehensive studies to date comes from the Computer Science Department at the University of North Carolina. Their report (which can be accessed here) states the following:
There is already considerable evidence that human-chosen passwords are typically too weak to survive a patient bruteforce attacker.
We confirm previous conjectures that the effectiveness of [password] expiration in meeting its intended goal is weak.
Common sense can also shed some light on the foolishness of password expiration. Let’s suppose someone steals or guesses your password on Tuesday at 3:30pm. What are the odds that your password will expire and you will change it to something new before the thief uses it to access your account later that night? Almost 0%. Once a thief has your password, they are going to use it. Changing it later on makes no difference. That would be like having your house key stolen, being burglarized, and then waiting another 6 months to change your locks. It’s nonsense.
But perhaps a different approach would be more convincing. A report from Microsoft Research (although I can’t seem to find the source at the moment), states that accounts are compromised using the following techniques in order from most common to least common:
- Phishing
- Malware
- Keylogging
- Shoulder surfing
- Written account information
- Brute force
Notice that #6 brute force is at the bottom of the list. This means that creating a strong password really isn’t that important because it only defends against a method that isn’t widely used. Moreover, a complicated password (or one that is frequently changed) is often written down, leading to #5 on the list.
So don’t worry too much about what kind of password you have for your accounts. In the long run, it doesn’t amount to much anyway. But if you’re still concerned, check out the following website, which will not only evaluate your current password, but offer some suggestions for future use.
http://howsecureismypassword.net/
Of course, that’s only if you trust them. I mean, you did just give them your current password and perhaps even use one of theirs.