At some point, security experts frantically scrambled to figure out a way to protect the masses online from ever complex hackers. See, hackers have been getting more daring as their skill sets have improved over the years. Security experts crunched the numbers and saw one way we could reduce our chances of getting hacked – passwords. Strong ones.
The logic of using stronger passwords is supported by the math. If the goal is to make it harder for hackers to guess your password through brute force, the longer it is, the better. Making it complex by using both lowercase and uppercase letters, numbers and special characters (like !@#$) makes it that much harder to ‘guess’ it by brute force.
Simple graphic by Security.org via statista shows that an 8 character password with lowercase letters only would be cracked instantly while an 8 character one with an uppercase letter, number and special character would be cracked in 8 hours. Showing that 8 characters is simply too short in 2022.
12 characters with an uppercase letter, number and special character would need 34,000 years to be cracked.
It should be mentioned that as computers gain in power, these times will be reduced. So get ready to be told your 18 character password is too short in a few years’ time.
Of course the public accepted this sound advice, to an extent. We started by adding ones and twos to our names but eventually came up with properly complex passwords. We had no choice, the security guys mocked our ‘weak’ efforts and forced us to come up with stuff like !CH0_ch1b@b3$T. We thought that was that but we had given security experts an inch and they wanted the whole mile.
Forced password changes
Suddenly, they decided it wasn’t enough to have the long, strong, complex password. You needed to come up with a new long, strong, complex password every so often. This is where they lost us. I hate this security policy, I hate it with all my being. I am not the only one who had strong negative feelings about it and the research shows.
On paper, it makes sense to think changing your complex password regularly would improve security. That is if we ignore human behaviour and even the limits of the human brain.
As it is, forcing me to remember a 15 character string with uppercase letters, numbers and symbols is a heck of an ask. Especially when it’s a password I only have to input once in a while. Which is reality for most people as we keep our accounts logged in until something goes wrong.
Further asking us to come up with and remember new complex passwords every other month is, frankly, asking for too much. Turns out when they forced us to do this, we all just ended up either just adding a 1 at the end or writing the password in a diary.
Human behaviour cannot be conquered
So, their security measure is meant to; make historical password information useless (which doesn’t materialise because users will only add a 1 to their existing complex passwords and hackers know to try that first), create a moving target for hackers and force users to think about security. Instead,
- it means users will re-use passwords from other accounts. Can’t expect them to have different 15 character combinations for each and every account they have.
- Users will forget passwords
- To make sure they don’t forget again, they will write the passwords down
- And to doubly make sure, they will use weaker passwords, which could just mean adding a 1 to the current one
All this defeats the purpose of the security measures.
Why researchers no longer recommend forced password changes
The benefit of frequent changes is suspect. The fear is that passwords might be stolen (not necessarily brute forced) and an unauthorised user might gain access to a system or account. The question then becomes how likely is it that passwords will be stolen? The probability is low for most accounts. The chance of most users being brute-forced is low too and in any case people are using the complex passwords they made us use.
Then again, even if the chance that the password will be stolen is high, there are limited advantages to having users change passwords every 60 days. The hackerr would have had weeks of access and harvested all the data they could handle by that point. If we really fear the passwords will be stolen, shouldn’t they be changed daily, or even multiple times a day? To allow for 60 or 90 days of unauthorised access is stupid.
We can’t ask users to change passcodes daily, except in places like militaries, because we introduce that problem of people choosing weaker passwords they can remember or writing them down where they can be stolen. So, we might as well try other ways to make sure they are not stolen. Not the half measure that is a 60 day expiration.
We do know too that in the event of actual security breaches, mandatory password changes are requested immediately. Then what benefit does the 60 day enforced change have? If you are going to tell me to change my password because it has been compromised, the regular changes were for nothing.
The cost of forgotten passwords
People forgetting their passcodes presents its own challenges. It leads to frustration for users, added work for system admins and all of that for questionable benefits.
We mentioned the waste of money and time. In dollar terms, large US companies allocate $1 million a year for password-related support costs, with a single password reset costing about $17.
You can imagine how a company like Econet with millions of subscribers would need a larger customer support staff. Especially when you consider that between 20%-50% of all IT help desk calls are for password resets, ranging from 2-30 minutes to fix.
What to do instead
There will be no perfect solution but here’s what experts are saying these days:
- Monitor logins to detect unusual use
- Notify users when attempts have been made to login to their accounts, let them disclose if it was them
- Notify them when their passwords have been changed
- Use multi-factor authentication
That’s it. Hopefully this annoying password reset issue will be a thing of the past when we take stock this time next year.