Passwords are Dinosaurs
Let’s face it: passwords have become part of the cybersecurity problem. That sounds contradictory, as passwords are supposed to help keep things safe, but it’s true. Passwords are the seed of a good security idea, but human nature and counterproductive password practices have turned passwords into a hinderance instead of a help.
Having a password associated with a user name as a method of unlocking something makes sense – it’s two pieces of information needed before access is granted. However, the password practice has been diluted and muddied by human nature getting in the way. For a password to work well, two things must happen: it has to be difficult to figure out and the user has to remember it. In theory, it’s still a sound concept.
Duplicated Passwords are Hazardous
One thing that compromises the efficacy of passwords is the quantity of passwords you need to remember (everything has one, it seems). We’ve been instructed to come up with long passwords that are a combination of letters and numbers (and symbols, sometimes). What happens is this: the more passwords you are required to create, the greater the likelihood you’ll duplicate passwords so you have fewer to remember. Plus, some companies require passwords be switched every X-number of days. In Special Publication (SP) 800-63B, the National Institutes of Standards and Technology (NIST) explicitly states that administrators, “SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).” The NIST warns against this practice because the more someone has to change passwords, the more likely they are to use duplicated passwords to be able to remember them all.
A duplicated password instantly compromises every account for which you use it. A hacker just needs to figure out one, and the rest will fall. Same goes for password hints and security questions: they often duplicate which is anathema to having distinct, one-use-only passwords (indeed, these sorts of question were dumped as of 2017 from NIST’s Special Publication (SP) 700-63).
Also, keep in mind a person isn’t doing the actual work in deciphering your password – a computer is. As deftly illustrated in this classic xkcd comic by Randall Munroe, we’ve been trained to create passwords that are hard for humans to remember and easy for computers to figure out. This xkcd comic also serves as a fantastic segue for what passwords should evolve into: passphrases!
Use Passphrases Instead
Passphrases are like passwords but stepped up to the next level. Passphrases are a bunch of words put together. It can be a full sentence with spaces or it can just be a collection of words. To get a good passphrase, all you have to do is pick some words. Like Star Wars? Perhaps a passphrase like ForceGreedoWookieeYodaB-Wing is good for you. Think about how much easier that is to remember than something like R4ffead56!!#. It’s more memorable because the words in the phrase mean something to you and can effortlessly be visualized. This makes it easier for you to remember and harder for a computer to figure out.
Now, you still must follow a few guidelines. Just like you shouldn’t use the same password for everything, you also shouldn’t use the same passphrase for everything. Try mixing up your topics based on what the passphrase is for. For example, if you are looking to create a passphrase for your work network, perhaps you mash together your favorite things in the kitchen: CheetosWaterScoobysnacksSkeleton. Again, these are things your mind has associations with, so it won’t forget them.
To answer the question used for the title of this article: yes, let passwords go extinct. Use passphrases instead. ‘Is that it, then?’ you ask. ‘Just use passphrases and we’re good?’ Of course not. The next step is multi-factor authentication . . . but that’s another story for another time.