The OpSec Blog

Security and privacy information and advice at home and abroad.

5 Reasons Why Passwords Don’t Work

with one comment

Google loginPasswords have become ubiquitous.  We can’t get away from them, as security systems have come to depend on them as an authentication/access control method.  However, the password system is an exceedingly poor method of securing anything.  Here are five reasons why passwords are a poor security method.

1. Good passwords are hard to remember. It’s a simple fact that the canonical “password” password is a lot easier to remember than “X8!^djDm=§”.  At the end of 2009, Twitter released a list of 370 passwords they had banned from use in their service due to commonality.  Are any of your passwords listed?

Furthermore, the most common effort to remedy this problem creates further disincentive to make good passwords.  You’ve probably dealt with the frustration of inane password requirements like a certain number of upper case characters or special symbols. Policies like these frustrate users and lead to other problems like those below.

(Here’s another list of commonly used passwords.)

2. Passwords get reused. How many unique passwords do you have?  If 100% of your daily passwords are unique, you are certainly in the minority.  When people start re-using passwords and e-mail addresses for more critical things like banking and e-mail, this presents a real problem.

3. Passwords are too easy to bypass. No, I’m not talking about the type of “hacking” incident that lives in the public mind, rather mundane features in practically every software application that does an interloper’s work for them.  Every major browser offers some sort of password “autofill” feature.  Nearly every website offers cookies that save you the trouble of providing your login credentials every time you want to access that site’s content.  Yahoo’s “Keep me signed in” option, for example, keeps your account logged in for two weeks!

Remember Me

Yahoos "Keep Me Signed In" keeps your machine logged into your account for 14 days.

4.  Good passwords get written down and stored in the clear. Part of my job involves going through an office space and inspecting work areas for information that could be used to compromise our networks.  Passwords get written down and “hidden” to every extent possible.  Post-it notes under the keyboard, out of place newspaper clippings containing the password in question, and my favorite- a password written in such a way that it could only be seen from an extreme off-center angle, kind of like the skull in Hans Holbein’s “The Ambassadors.”

5. Passwords are easily forgotten. This basic fact leads to several problems.  On the business side, this leads to a loss in productivity.  Not only is the user unable to access essential resources, it also demands further resources of the IT person charged with resetting the password.  Large corporations often have dedicated extensions for password resets.  For an average user, a forgotten password often leads to a series of security questions that are often incredibly easy to guess or find out through social networks.

None of the reasons above change the reality that passwords are here to stay.  Hopefully you have avoided the bad habits listed above.  Next time I’ll take the opposite side and give 5 reasons why passwords are indispensable.

Written by OSB

17/02/2011 at 21:55

Posted in Security

Tagged with , , , , ,

One Response

Subscribe to comments with RSS.

  1. […] have been saying for years that passwords, as a concept, need to go away. As implemented, passwords don’t work, and the ludicrous “complexity” requirements imposed my many companies are little more […]

Leave a Comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: