Should I stop using passwords?

When we were young we had a clubhouse. In order to enter the clubhouse you needed to know the secret code. It was only with this super secret special code that you could enter. 

Fast forward 30 years and we now have those super secret codes on everything from our phones to the doors of our cars. Only now do we know them as passwords. 

Passwords were a simple form of security, but as computers advanced and the information they contained became more critical, criminals became better at cracking them, so passwords adapted.

Now we have passwords that look like this KLJD#2412.

It is really hard to remember KLJD#2412 so we will write them on a sticky note and paste it on the monitor of the very machines we are trying to protect. It went a step further, and we started letting the machines create the passwords, making them near impossible for the average human to crack, let alone remember.

After all these steps to protect ourselves, at the end of the day, we made it easier for our passwords to be hacked.

One thing that computers do better than humans is randomizing characters. Our brains are wired to work with things in an organized order.

One thing humans do subconsciously better than computers is organizing things into order. Our brains are configured to organize large strings of information in order. Most passwords contain 8 to 10 characters because that is what the human brain can handle without training when things are randomized.

So, after all this talk, how are the hackers getting my password?

As we work to make things more secure, we inadvertently created a dictionary for hackers. Then, hackers combine that dictionary with a program that we refer to as a Bot, short for robot. These Bots run on their own; they learn and adapt to measures put in place to stop them.

One thing they struggle with is passwords greater than 12 characters and logical sequences or organized predictability.

Organized predictability is when a certain order is presented. Let’s take spell check, for example. In a high school or an environment with multiple users on the same machine, spell check can tell you a spelling is wrong because it doesn’t match a dictionary. But if the users change it up, it can’t predict what you are trying to spell. That is why you get multiple choices for a word. When the same user is typing regularly, it can predict possible words. That is why most word processors nowadays have the user sign-in to increase their predictability.

In 2020, an organization called CompTIA, a collaboration of leading companies in various industries, did a study. The study revealed that we should move away from passwords and towards passphrases. This would leverage human strengths, minimize password directories, and utilize characters that computers cannot calculate, which are just now becoming available to users due to this groundbreaking study.

The problem with passwords is that they are typically based on people’s lives and interests.

They also run 8 to 12 characters, which are difficult to remember and manage once we start meeting the password requirements per system.

Passphrases are typically around 14 to 25 characters, and in some instances, they can include spaces (a character that cannot be recognized by bots!).

An example of a passphrase would be “Somebody feed the dog.” This passphrase uses 23 characters and is easy to remember. When pushed through a security checker, it would take 23 million years to crack with a supercomputer! If you tweak this passphrase and replace the “e’s” with the number 3, it jumps to 319 million years. Some organizations require passwords to be reset regularly; this simple phrase can be reordered at least 15 times without repeating, making it easy to remember for those of us who are, well, ordering off the silver menu.

Is there still a place for passwords?

The answer is yes! Shared worksheets would be an example. A password works in this environment because the worksheet has a finite life expectancy and shouldn’t be repeated unless within the same group as the original.

Some final thoughts on the topic to answer a few questions.

What if my organization doesn’t allow the use of spaces?
We move on to special characters; typically underscores are used or dashes. We are still in the 20-character range, so the time to crack is exceptionally high!

Why would anyone want to hack me?
The simple truth is that we are all stepping stones to someone else in the organization. No cog is too small to turn a bigger cog. Just ask MGM Resorts after their latest attack.