Password security - A lost cause?

Common to all optimizations is the desire for greater safety.

At the latest with the advent of modern password crackers, it is possible to estimate very accurately how long it will take to break a password using brute force for a given password length and a fixed character set.

The idea is simple: the more complex and longer the password, the longer it takes - and the more secure the password. That's the conventional wisdom...

Unfortunately, the problem is not quite so one-dimensional. Meanwhile, several factors play a very significant role in password security.

Good?

In the meantime, a trend toward more lax password guidelines can be observed. Less in terms of password length, more in terms of the required character set.

While some dismiss this as "less security-savvy," I see something different here: After all, entering passwords with special characters on a mobile device is time-consuming. So you only ask for characters that are easy to reach on the standard smartphone keyboard.

This decision then makes more sense when you consider the situation in help desks.

Passwords that are difficult to enter on a mobile device create a massive increase in user support efforts. To counteract this, policies are sometimes relaxed...

Too well-intentioned?

Research into efficient password cracking is very advanced.

Research on the step before that - the question of how we humans "think up" passwords - has only recently begun to surface.

A recent study by the University of North Carolina concludes that changing passwords too often and being too strict is more likely to harm security than help it.

This is because users tend to continue using the "old" password with simple modifications - and, for example, only change the upper/lower case or append additional characters.

Against this background, researchers have now developed procedures that try out many frequent modifications on an existing basic password and thus achieve their goal much faster.

Good enough?

In many security training courses, it is drilled into users to use different passwords for different accesses and to separate private and business matters.

But man is a creature of habit, reality looks different.

It must be assumed that many also use the same or similar passwords for their private accounts. This suddenly makes the hack of a third-party provider or supplier relevant - especially if passwords are stolen in plain text.

This gives attackers a large base of basic passwords at their fingertips, which they can simply try out with modifications against the company's access.

All's well that ends well?

The example of passwords shows that security is not a one-dimensional technical process. Technical decisions have a direct influence on other dimensions, on people and processes.

A decision that makes the system safer from a technical point of view may have a massive impact on other dimensions, so that the safety of the overall system may suffer.

Do you really need the maximum-security-with-special-character password for all services, or isn't authentication appropriate to the level of confidentiality also "good enough"?

Or, on the other hand, doesn't tinkering with the password simply address the symptom? In certain cases, authentication via two-factor or biometrics might make sense.

Deciding how to protect which accesses depends on people, services, processes, and technical capabilities.

And this decision must ultimately be made after a risk assessment and evaluation that takes into account more than just the technical dimension.

There is no general right or wrong here - decisions must always be seen in the context of the intended use and the willingness to take risks. And this applies to passwords just as much as to other techniques and processes in IT security.