A friend of mine recently received his new electric vehicle, full of all the expected modern experiences and connectivity. So of course he needed to set up yet another online account with its own username and password. He was kind enough to share his experience with his fellow IDPro members in our Slack channel, and the discussion was spirited! (If you’re not already a member of IDPro, sign up today and join the discussion! Our Slack space is a wealth of valuable information and gives you access to people with some of the deepest IAM experience on the planet.)
First off, it was nice to see that the vendor has put a priority on providing its customers with a “convenient and safe digital experience.” Kudos to them! To that end, they provided some password advice. I’ll share their recommendations in just a moment, but before I do, let me just share that opinions on the efficacy of these six suggestions vary. Widely. To quote my friend, “4 of these are great advice, 1 might be okay advice, and the other is folklore advice”. See if you can identify which is which!
The vendor suggested that passwords should, and I quote:
- Be at least 12 characters long. The longer your password, the better.
- Use uppercase and lowercase letters, numbers and special symbols
- Not contain obvious keyboard paths e.g. 12345qwerty
- Not be based on personal information such as your birthdate or name
- Be unique for each account you have
- If possible, be generated and stored with the help of a password manager.
So, let’s take a look at these. At first blush, they all seem like good advice. And certainly the more technical folks among our readership are going to have no problem with them. But then, it’s not just the techies who buy modern vehicles with online features. So we need advice that’s good for everyone.
Number one: This is good advice. Yes, we’re all concerned about password cracking, and longer ones are harder to crack. But they’re also harder to guess or discover through social engineering. So, I’m good with this one and so were my colleagues in IDPro. In fact, a phrase you can remember is a good idea here because it results in a longer password. I’ll just drop an xkcd link here…
Number two: Yes, it’s conventional wisdom, but not really as helpful in increasing security as number one, and it makes it harder to remember your password, leading to writing them down, which we all think is not desirable. To quote a fellow IDPro member I deeply respect, a better #2 might be “You can use any characters in your password, including symbols and spaces.” He went on to elaborate that “we don’t want systems to limit the input, but we also don’t want them to require it.”
Number three: Per my IDPro colleagues, it would be better to just prevent these lame passwords in the password blocklists. i.e. Rather than telling people not to do that, just don’t let them in the first place. If they try to use such a password, the system should “Just say NO!”
Number four: Yup. Solid advice.
Number five: I like this one. It really limits the blast radius if someone manages to steal one of your passwords. If you’re using the same password on Facebook, Amazon, your online bank, and other obvious targets, and someone gets it, you have to know they’re going to hit all those sites as quickly as possible to do the most damage. Having different passwords provides protection.
Number six: So, if you buy into #5, you’re going to need #6 to make your life manageable. No one can remember all those passwords. Seriously. The modern world is insane with accounts and passwords. In the course of writing this article, I did a quick count in my password manager and it’s over 300 unique accounts and passwords. Obviously, I need to simplify my life, but until I do, I need my password manager.
One closing tip from me. Password managers can help bring order to your digital life and limit the potential damage of any one compromised password, but they also rely on a password. If you do use a password manager, please please please make sure you enable its MFA features! That password is the key to your life, so make sure it’s protected by MFA. Oh, and see above for your password manager password for some useful tips to protect it. Lastly, use MFA everywhere it’s available until we can get to something better than passwords for all these online services that dominate our lives.
Greg Smith
Chair, IDPro Editorial
Radiant Logic
Greg Smith is a Solutions Architect with Radiant Logic. He has been implementing Identity & Access Management solutions for over 35 years. He holds BSEG and MSBA degrees from Bucknell University, where he also began his professional career before moving into the pharmaceutical industry in 1996. Following a 25-year career there, he recently retired from Johnson & Johnson, where he led the engineering team for J&J’s single sign-on, risk-based authentication, multi-factor authentication, access governance, directory synchronization and virtualization, provisioning automation, and PKI services. He has spoken at Identiverse® and other industry events on numerous occasions. He was recently CIDPRO™ certified and is also a founding member of IDPro, where he currently chairs the editorial committee.