Why (almost) everything we told you about passwords was wrong
I have an embarrassing confession to make: I reuse passwords.
I am not proud of it, but honestly it’s a relief to finally get it off my chest. I am not a heavy re-user, nothing crazy, I use a password manager to handle most of my credentials but I still reuse the odd password from time to time.
It’s embarrassing to admit because recommending that users use unique passwords for each of their accounts is part of my job, and with good reason: Password reuse leads to credential stuffing, a form of automated attack where cybercriminals use lists of passwords stolen from one website to break into other websites. Credential stuffing attacks are large, automated, and persistent, and they are so successful that they happen almost constantly.
It seems obvious and important therefore to tell users not to reuse passwords. But telling them to stop doesn’t work and it never has. It doesn’t even work on me.
Why not?
I believe the reason is that for years we’ve been misdiagnosing the problem we thought we were solving. Consequently, we treated password reuse as a form of misbehavior that could be corrected rather than seeing it for what it is—a rational response to an impossible situation.
As computer and internet use exploded over the past forty years, the number of passwords each of us must remember has climbed precipitously.
The companies that make password managers are in broad agreement that we’re currently averaging a little less than 100 passwords each. Dashlane said its users have about 90 passwords; NordPass puts the figure at 70-80; and LastPass says it’s 85 passwords for employees of SMBs, and 25 passwords for people working in enterprises.
Me? I’ve got 742, and I’ve used 200 in the past year.
It simply isn’t possible to remember that many passwords, and the number of passwords we need to know probably exceeded the number we can remember decades ago.
In 2012, a group of researchers gave us a big clue about how small our capacity for remembering passwords is by looking at how often users forgot theirs, or got them mixed up. 84 percent of users with 7-9 passwords reported problems, and there was a precipitous decline in recall between users remembering 1-3 passwords and those remembering 4-6.
The sense that we can, at best, remember just a handful of passwords is reinforced by more research from 2018. In this study the participants had just 13 accounts each. Despite this relatively modest number, 91 percent resorted to password reuse, choosing to service their accounts with an average of 5.8 passwords each.
It was a snapshot of what had happened everywhere.
In the face of an ever-growing gap between the number of accounts and the number of passwords they could remember, users did the only things that made sense: They made their passwords weaker, so they were easier to remember; they wrote them down; and they reused them.
The collective response of the security community was to tell them to STOP: Don’t write them down; stop making them simpler; stop reusing them; and by the way please make every password a mixture of no fewer then fourteen uppercase, lowercase and wacky characters; oh, and please change your impossibly complex password for a different impossibly complex password as often as you change your underwear.
We should not have been surprised when we were completely ignored.
Nevertheless, we persisted for years. Some of the advice got better, but the bits about making strong passwords and not reusing them didn’t change even though password reuse remained endemic, and every data breach brought further evidence that users remain firmly wedded to very bad password choices.
Several years ago, experts at Microsoft Research and Carleton University, Canada did the math that explains what’s going on.
According to their calculations, a conscientious user with 100 unique, random passwords would have to perform an impossible feat of memory—the equivalent of remembering 1,362 random digits, a task that “far exceeds what users can manage by memorization”. You don’t say.
Many users’ first instinct is make their passwords easier to remember, which makes them less secure. It helps, a bit, but it doesn’t come close to turning a 100-password portfolio into something a normal human can manage.
One of the “Eureka” moments in the research is that users don’t just have to remember their passwords, they have to remember which password goes with which account. Just that task alone is more difficult than remembering the order of a shuffled card deck.
No amount of weakening your passwords can overcome that. The only strategies that work are writing passwords down or reusing them.
One weird trick to improve your passwords
You may be reading this thinking that the answer to all of this is to use a password manager—a piece of software that can generate strong passwords and remember them for you.
Password managers are a potential answer to this problem, and advocating for them has been an important piece of security advice for several years now. However, despite all that advocacy only about 20% of us use one and almost half of us still don’t know what a password manager is. Teaching users to be better users is a long game.
More worryingly, buried deep within a 2016 password reuse study is the startling conclusion (with some caveats) that “third-party password managers do not significantly reduce password re-use across websites.” This probably requires more study, but from a personal perspective I can say that having a password manager has certainly helped my reuse problem, although it has not eliminated it.
But that isn’t password managers’ only trick: They can still generate strong passwords, and that’s good, right? Yes, it is, but we may have been seriously overestimating the importance of them.
In 2019, Microsoft’s Alex Weinert wrote that “When it comes to composition and length, your password (mostly) doesn’t matter.” And he’s not alone in believing that. Password strength just isn’t a factor that affects your security most of the time.
A strong password won’t protect you from a credential stuffing attack, phishing, or keylogging malware, for example.
Avoiding the most common form of attack—password spraying—where attackers use very short lists of very common passwords against lots of targets, requires only that you don’t use one of the 50 worst possible passwords (things like qwerty and 123456). You can have a very bad password indeed and still be safe from everything I’ve mentioned above. A modest password of just six characters or so will protect you from almost any kind of brute force attack conducted across the internet.
The only situation where password strength really matters is in an offline brute force attack where an attacker uses specialist hardware to crack the contents of a stolen password database. These attacks are very rare, but they are the reason you are asked to concoct 14-character masterpieces of uppercase, lowercase and wacky characters.
Solving the difficult edge case of offline password cracking by demanding all users create vastly more complex passwords than they otherwise need, either in their own head or with a password manager, seems like tilting at windmills. Defending against determined and well-resourced adversaries is a job for experts. We should be taking on the burden of defending against these attacks with better password management and storage rather than by demanding better users.
We need to stop and think about all the things we’re asking users to do. The more rules we offer, the less likely people are to follow any them. And the more rules we offer that subsequently turn out to be counterproductive, such as demanding regular password resets, or valuing special characters over adding more characters, the more credibility we burn.
If we’re going to spend time advocating for a change in behaviour, we should probably pick one thing. And there is something that can make an enormous difference to password security, without users needing to worry about what passwords they use, where they store them and how often they use them: Multi-factor authentication (MFA).
The simple act of having to type in a code from an app alongside your password is a game changer—it kills credential stuffing, password spraying and brute force attacks stone dead.
Weinert: “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA.”
Even better, while we can advocate for users adopting MFA where it’s available, we aren’t reliant on them listening. The most important thing is to persuade organizations, or better yet groups of organizations or even legislators, that it’s important. When that happens, users are just along for the ride.
So, from now on, my password advice is this: If you have time and energy to spare, find somewhere you’re not using MFA and set it up. If you do I promise never to nag you about how weak your passwords are or how often you reuse them ever again.