The Problem with Passwords
As anyone who has spent some time on the internet knows, websites like to force users to create short passwords—generally 12 to 20 characters at most—comprised of difficult-to-remember gibberish. Different websites require very different formulations for passwords. Common criteria which websites mix and match include:
- Minimum and maximum password lengths
- Whether special characters are required (or even allowed at all)
- Whether numbers are required
- Whether capital letters are required
- Whether the password may include words from the dictionary
- Whether the password may include the username or the website’s name
The purpose of these restrictions is to help users create “strong” passwords– meaning passwords which are difficult for other human beings to guess. The wisdom behind this approach is doubtful, however, given that its premise is grounded in the fictional but well-established media trope that everyone uses simple, personally-meaningful passwords which determined hackers can suss out using a modicum of psychological insight. (A modern-day Citizen Kane, for example, might have an intrepid journalist break into the late Charles Foster Kane’s laptop using the password “Rosebud”.) This dramatic romanticization of hacking is much more fiction than fact. Real criminals are more likely to employ mundane but brutally effective hacking methods which rely on sheer computing power to break into a system, and in that context, any password shorter than about 15 characters is simple to crack. Randall Munroe illustrated this issue in his webcomic, XKCD:
Unfortunately, we can’t fix websites’ bad password formatting policies, so let’s set that issue aside. Regardless of what format your passwords follow, the best practice is to use a different password for every single website. Otherwise, one compromised password will give intruders access to multiple accounts. However, given how impractical it is to remember dozens of passwords, most people use only a handful of unique passwords.
In short, we have a password system which makes passwords far too difficult for us to remember, but by reusing passwords across multiple important websites, we put ourselves at great risk.
Handling the problem
The single best way to slice through the Gordian knot of password chaos is to use a good password manager. A password manager is a database containing all of your passwords which is unlocked by a single master password. From the internet’s point of view, you have dozens of different, strong passwords, but from your own point of view, you only need to remember one password.
But isn’t it a huge risk to only need one password to unlock all of your other passwords? Not necessarily! Even if someone else somehow finds out what your master password is, they can’t use it to log into any websites directly. Because the only thing the master password does is open your personal password manager, that password is useless to an attacker unless they also have a copy of your complete password database file. If someone manages to get your master password, it’s sort of like a criminal in China or Russia obtaining a copy of the key to your house: unless they also know exactly where you live and have a practical way to get there, there’s no real harm done.
To be clear, it’s not a perfect security system, but it’s the best that anyone’s come up with so far.
Many cross-platform password managers can generate strong, random passwords for every website you visit and synchronize these passwords across all of your computers and mobile devices. Unfortunately, these comprehensive multi-platform solutions tend to charge subscription fees.
An alternative is to use a free, open-source program like KeePass, but setting up password syncing across multiple platform can be complicated and require a lot of manual tinkering. For example, to use KeePass on both a computer and on an Android phone, you would need to follow these steps:
- Set up KeePass on the computer.
- Configure KeePass to save your encrypted password database in Dropbox.
- Use the Dropsync app keep the encrypted password database file synchronized between your computer and your phone.
- Use the KeePassDroid app to unlock the encrypted password database to let you access your passwords on your phone.
These free solutions are perfectly doable, but they lack the “single step log-on” simplicity of a commercial solution.
Another positive habit for students to get into is using two-step verification. Basically, in a two-step verification system, in addition to providing a password, you provide some other proof that you are who you say you are. There are many ways to implement this kind of system. An ATM, for example, requires a password (your PIN), but it also requires a physical bank or debit card. Google has an opt-in system which requires you to enter your password along with a time-sensitive code which is sent independently to your phone. Other services, like Steam, use similar time-sensitive codes, but send them to your email address.
Of course, these two-step verification systems are not universally available. However, most popular websites and organizations—including Google, Apple, Dropbox, and many, many more—do have some kind of two-step verification system which users can opt into. The trick is taking the time to configure your account to use it! Most people don’t bother, and this puts them at an increased risk of hacking and identity theft.
The Quandary with Security Questions
Another “pain point” of current password systems is the use of security questions in two-step verification systems or in “lost password” situations. There’s nothing inherently wrong with security questions; the issue is that they’re often implemented poorly, and the user rarely gets to write his or her own question.
A good password security question should meet a number of criteria like the following:
- Almost everyone should be able to give an answer to the question.
- The question should have only one answer for a given person.
- The answer should be memorable.
- The answer should not change over time.
- The answer should not be trivial to guess.
A good example of a question which meets all of these criteria is “What was the surname of your first grade teacher?”. Other than the use of the phrase “first grade” (which might not have a clear equivalent across all cultural backgrounds), this question elicits a specific, consistent, and memorable piece of information.
Unfortunately, it seems like most websites still make you pick from bad stock questions like “Who is your favorite actor, musician, or artist?” or “What is your favorite book?”—questions which fail most of those criteria. The same person might answer these questions very differently from day to day, making it difficult to recall the “correct” answer to the security question.
Handling the problem
One way to circumvent the problem of bad security questions is to come up with memorable fake answers to common questions which you can use consistently from website to website.
For example, if a question asks you what your favorite food is, a reasonable fake answer would be “soylent green” or “popplers“. If a question asks what your favorite movie is, you could respond with the fake answer that “the book was better”. The trick here is that you need to actually remember your fake answers, so make sure you find them memorable and funny!
Unfortunately, many crucial factors in password security are out of our direct control. If a website doesn’t properly encrypt traffic between itself and your computer, or if it doesn’t follow password storage best practices like salting and hashing, there’s little you can do about it. That’s why an important cornerstone of digital citizenship is learning to pick up the slack and do whatever you can do to minimize your vulnerability to hacking and identity theft. If you use a secure password manager and have good strategies for handling websites’ bad security questions, you’ll be much better protected than most digital citizens.