Passwords like “123456”, “qwerty”, and even “password” are found to be the most popular year after year, and 2021 was no exception.
These reports generally offer the same advice to users: create stronger passwords to protect your online security. While this may be true, it is also time to acknowledge that years of promoting this message have had little or no effect.
To make things better, I believe we should stop blaming individuals and instead place the onus on websites and services to encourage and enforce better “cyber hygiene.”
Of course, it’s easy to blame the users – after all, they’re the ones who make bad password choices. At the same time, it’s now widely accepted that people make these decisions regularly. As a result, it’s reasonable to assume that if no guidance or restrictions are put in place to prevent weak passwords, they’ll continue to use the same passwords.
Nonetheless, successive generations of users are not taught what a good password looks like, nor are they discouraged from making careless choices. It’s not difficult to find websites that will accept the worst passwords without complaint. It’s also easy to find websites that require users to create passwords but provide no guidance on how to do so. Or sites that provide feedback that a user’s password choice is poor but still allows it.
How providers can improve
If you’re in charge of a website or service that accepts passwords like “123456”, “qwerty”, or “password”, it’s time to rethink your system. If you allow users to make poor decisions, they will come to believe that they are acceptable and will continue to do so.
On the contrary, by implementing stricter protocols, you can aid in addressing the issue at its root. Websites should have processes in place to filter out bad passwords – a “blacklist” of commonly used passwords.
And, while guiding users at the time of password creation can be useful, sites should stop insisting on things that authoritative organizations such as the UK National Cyber Security Centre and the US National Institute of Standards and Technology now say should not be enforced. They, for example, advise against requiring password complexity (like including upper and lower case letters, numbers, and punctuation symbols).
According to both organizations, increasing password length is more important than increasing complexity. This is because longer passwords are more resistant to brute force cracking (in which attackers try all letter, number, and symbol combinations to find a match), and less complex passwords are easier to remember.
Nonetheless, many websites continue to demand complexity and impose length limits, frequently blocking perfectly reasonable password choices that our browsers and other tools can generate for us.
You may be wondering why this is significant. Why should it be the provider’s problem if people choose weak passwords and put themselves at risk? One argument is that if a service is responsible for protecting users’ data (as providers are under GDPR), it makes little sense to allow users to leave themselves vulnerable by using weak passwords.
It’s also worth noting that in some cases, a single user’s weak password can provide an attacker with a foothold in the system from which to exploit other flaws and gain more access. As a result, it may be in the provider’s best interests to limit these opportunities while also protecting other people’s data.
Passwords are not going away
Although there is a trend toward passwordless authentication, the name itself emphasizes the dominance of password-based methods. Their demise was predicted more than 15 years ago, but they are still alive. It’s safe to assume they’ll be with us for a while longer.
So we have a choice: take collective responsibility for getting the basics right – which requires action from both users and providers – or continue to shrug our shoulders and complain about user behavior.
The call to action is hopefully clear for those who provide and operate password-based systems, sites, and services: check what your site permits and see if it should do better. If it allows weak passwords to pass, either change it or do something to discourage users from using them.
If you’re a user reading this and want to know how to make better passwords, the UK National Cyber Security Centre has some good advice. These include combining three random words to create longer but more memorable passwords and securely storing your passwords in your browser to alleviate the burden of remembering passwords across multiple sites. So, even if providers aren’t doing enough to protect you, there are some things you can do to protect yourself.
