Password policies gone wrong

Perfect is the enemy of good (Part 1)

Not a day passes without a new zero day, a reported data leak, a company temporarily shutting down due to a ransomware attack. All of this is garnished with the lingering threat of cyberattacks on critical infrastructure potentially bringing down entire countries.

So yes, information security is arguably pretty important right now and in the future.

This is why we are doing what we are doing. This is our motivation.

Many people in the infosec community live and breath IT security. It’s our job but it’s also our passion. Which is a good thing, don’t get me wrong. However, we sometimes forget that not all people share this passion. Most people do not want (and honestly should not need to) dedicate their life to this cause. This is the problem. This is what this article series is all about.

Of passwords and policies

The year is 2004. In February, Facebook is born. Ukraine wins the Eurovision Song Contest for the first time. George W. Bush is re-elected. The Iraq War is raging on. In a dusty back office of a small and unknown institute named NIST, a publication is written with the resounding name of “NIST Special Publication 800-63”1 that is about to change the world as we know it. Appendix A of this fateful document contained the, infamous — nowadays partly dreaded, partly smiled at — commandments that should from now on lead the world:2

  • Thou shalt make thy password at least 8 characters long.
  • Thou shalt include a mix of uppercase and lowercase letters, numbers, and symbols in thy password.
  • Thou shalt not use easily guessable words or permutations of thy username in thy password.

Fast-forward nine years. The year is 2013. “password” isn’t the most common password any more. It has been dethroned by “123456”. Fast-forward another ten years. The year is 2023. We stopped the count. “123456” won.

So why is it then, that in nearly 20 years of preaching password policies we could not convince the majority that these polices are not meant to pester and torment mankind but are actually necessary to achieve a reasonable level of security?

Most probably, because password policies are inherently and catastrophically bad in transporting this message. The infosec community realized that, NIST realized that. “Why is that?” you might ask. Well, I can only assume, but I would suppose that most people just don’t want to keep a hundred plus random strings with letters, numbers and symbols rent-free in their head. So they don’t. Which is, how it should be.

Password managers

The solution to this problem is using a password manager. Which you most likely have heard by now. But why aren’t more people using them?

One part of the problem might be, that password managers oftentimes have horrible usability. Browser-based password managers lock you in and are bad if you want to use your password anywhere else. Cloud-based password managers are available everywhere, but you have to trust your provider that he won’t lose (or sell) your data. And they cost money. Local password managers are by design local to one device. Which is a problem if you want to use more than one device. Manually syncing works, but let’s be real, how many tools should I need to get this basic thing right?

Another part of the problem is, however, how the infosec community provides information about password managers. Look above, I showed you three types of password managers and told you that they are all bad. Which they arguably are, but that was never the point. The point is, you will find problems in any type of password manager. And yes, it sucks when you find out through a leak that your data might not have been as state-of-the-art, military-grade encrypted as your vendor might have led you to believe. But that shouldn’t stop you, yet it will.

The plea

There are a few takeaways in here: First, use a password manager. Use whichever system you feel comfortable with. Use a paper notebook if you feel like it. Keep in mind, someone getting access to your password manager is bad. Yet, no one needing to get access since your passwords are your pet’s name anyway — sometimes ending in !1 for compliance — is worse.

Second — this is for infosec — yes, it’s our job to find problems and we will find them. Don’t stop there! Give a helping hand afterwards. Show your community what they should and what they shouldn’t do. Always keep in mind that they might not be like you. That they just want things to work without having to intervene on a daily basis. That they might not be able to fix something if it breaks. Don’t try to convert them! This is not vim vs. emacs. Keepass is not the way for the majority.

The best solution might not be the most secure solution. As much as we’d love it to be like that, most often this just isn’t how it goes. Pretty secure plus usable might need to get the job done. Make compromises. Adapt.

Originally, this was planned as a single article. However, we found that the topic is way too important to just skim over briefly. Therefore, since the article is already longer as we’d like it to be, we decided to split it. So it is a series now. Stay tuned 😊 — or directly continue with Part 2, it’s available now!

  1. The original publication can be found here↩︎

  2. The rules are found on page 52 of the publication. We might have spiced them up a bit. 🤷 ↩︎

Stefan Feuerstein

Managing director and co-founder

IT security likes to market itself with exaggerated scare tactics. Respect for the topic is important, but important decisions must not be driven by fear.

February 17, 2023