Your password is less safe than ever, but who's to blame?

Even a password manager won't save you. But it's not your fault.

Whether we like it or not, we have created and live in a cybersecurity structure held together by pieces of gum and string.

Only a generation ago "password security" meant not leaving your camel-cased password scribbled on a Post-It note stuck to your desktop computer for your work nemesis to find and a strong password looked like adding the year you were born to the end of your favorite song lyric. But today, things are a little more complicated.

In a study conducted between March 2016 and March 2017, Google found that 3.3 billion of its users' login credentials, such as usernames and passwords had been compromised in that year alone. A similar study conducted internally by Verizon in 2018 found that 70% of employees reused passwords at work and that "81% of hacking-related breaches leveraged either stolen and/or weak passwords." Curious if you've been hit? The website Have I Been Pwned will check if either your password or email address has been compromised in a data breach. To date, their catalog contains over 555,278,657 "pwnded" passwords and 9,319,713,483 "pwned" accounts. So... the odds aren't great.

But how did we develop such horrible password habits? In part, it might be a problem of accelerated scope and mental exhaustion.

While security concerns of the recent past may have been focused on protecting a small handful of private, offline documents from nefarious hackers guessing or stealing your password, the amount of private information protected today by passwords is staggering. Like a single guard facing a siege, often everything from your bank account number to GPS data logged by your fitness app is safeguarded by a single point of defense.

As Leader of the Centre for Security, Communications & Network Research at the University of Plymouth, Steve Furnell, tells Inverse, this divide of our mental attention can lead to poor password choice or password repetition.

"[W]hereas in years gone by people would have had passwords on just a few systems or devices, today they have them on tens (if not hundreds) of sites and services," says Furnell. "As a result, poor password selection and management has the potential to leave our data vulnerable in a far greater number of locations (and given that people often reuse passwords across multiple systems, there are more points of failure that can lead to an exposure.)"

This constant pressure to create new, unique passwords has ironically led many to create long, convoluted passwords they can't even remember--but that computers can still crack in a matter of days.

And just as the amount of information we need to protect has grown, so has the threat of infiltration. Our fear of individuals spying on us type in our passwords has been replaced by the less tangible fear of supercomputers guessing them by brute force. Despite our best efforts, it's often not a question of if your data will be hacked, but when.

These days we're typically taught password security two-ways: by teachers and guardians when we're young and by password strength meters we encounter in our daily lives. While these meters are, in theory, designed to help us "strengthen" our passwords, there's little consensus about what a strong password really look like, or how we should achieve it.

A big part of it, assistant professor and head of the mobile se­cu­ri­ty group at Ruhr Uni­ver­si­ty Bo­chum, Markus Duermuth, tells Inverse is that guidance on how to create a strong password has changed very little over the decades, despite the growing risk.

"These requirements looked good at the time, but nobody really checked"

"These requirements looked good at the time, but nobody really checked," says Duermuth. "There was no real data available and that was probably 30-years ago. And since then everybody just pointed to that first occurrence and said 'Well, they did it so it can't be too bad.' So [these guidelines] just became accepted without any real foundations."

These outdated requirements, like using lower and uppercase letters as well as digits and symbols in your passwords (not-so-lovingly called 'LUDS' based password in the security community) are not only drilled into us at an early age but are still reinforced today by the password strength meters found on many websites. But what might have passed security snuff in the 90s certainly does not today, Furnell, tells Inverse.

"[Password security is] a moving target. A password that is robust against brute force attacks today could be vulnerable tomorrow as the technology gets better or faster," says Furnell. "Also, the good practice guidance does change over time and based on experience – and in some cases the way that the meters is working is just not being adjusted to keep up (for example, rejecting long passwords that combine multiple words because they only use alphabetic characters). So, we essentially have legacy meters based upon legacy guidance."

"[Password security is] a moving target... [and] we essentially have legacy meters based upon legacy guidance."

But what exactly isn't working about these old-school password guidelines? As Furnell explains in his paper it has to do with the password's entropy (or, unpredictability) and how well a password meter actually interprets it. Furnell explains that a universally poor password, like "Password1!" would achieve a 65.7 bit entropy score based on the length of the password and the number of possible characters used. However, many password meters writes Furnell, would score a random password like "w#nA2o%dof" the same despite being much less common and not including an easily guessed dictionary word like "password."

So, if it's too time-consuming and mind-reeling to concoct and remember different, unique passwords for all of our accounts, we should just get a password manager, right? Maybe not, Duermuth tells Inverse.

"I think it's a very reasonable approach, [but] it's not the one ideal approach that everybody must use," Duermuth tells Inverse. "There are some disadvantages from a more technical viewpoint. One of the problems is that you're introducing a single point of failure. So, if something goes wrong with your vault then you're screwed, basically, on all accounts."

Skepticism aside, Duermuth does admit that password managers can be a good option in some cases, primarily if the vault's password (the password to rule them all, if you will) is generated by the manager itself instead of made-up by the user.

Ultimately, when it comes to better protecting our passwords, both Duermuth and Furnell tell Inverse that more emphasis needs to be put on these companies themselves to build stronger infrastructure than on individuals to try and out-think the system.

"If we are going to insist upon passwords being used, then it is only fair (and arguably common sense) to support people in using them properly," says Furnell.

Two-factor identification is a well known (if not always well-used) gold standard of increased security infrastructure, but Duermuth tells Inverse future infrastructure should go even further with something called "risk-based authentication."

"Risk-based authentication looks at further contextual features," Duermuth tells Inverse. "So when a user logs in to your website, the website not only looks for username, password -- but of course that as well -- but additionally they're looking at where does the connection come from? Which IP? Which country? Which machine? What are the typing dynamics, touchscreen dynamics, mouse movements? That contextual information [is used] to classify what is a likely a legitimate login and what is likely an attack."

And, while biometric information like face, iris, and fingerprint scans aren't very secure on their own, these too could be used in tandem to create a robust, multi-factor data-driven image of us. And perhaps stave off being pwned a little bit longer.

Related Tags