Please stop giving bad password advice

Today’s columnist, Patrick McBride of Beyond Identity, says security pros should celebrate World Password Day today by dedicating themselves to eliminating passwords. (Getty Images)

Another day, another breach, and another round of advice by “security experts” and government spokespeople about how to make passwords safe. Let’s just cut to the chase. There’s no way to make passwords safe. Full stop.

So as we arrive at World Password Day this year, instead of giving advice to our customers, colleagues, and families on how to make passwords “safe,” let’s endeavor to eliminate passwords altogether.

Passwords are the root cause of 80% of all attacks, year in and year out—from account takeovers to ransomware to advanced persistent threats. Think about that for a moment: We have the opportunity to eliminate the single largest attack vector we face. Passwords are the proverbial “easy button” for cybercriminals and state-sponsored actors alike. As cybersecurity professionals, it’s high time to stop training and blaming users and put the onus on us, and organizations that have not yet taken steps to adopt secure, passwordless authentication. Solutions are available today from a range of vendors leveraging standards developed by the FIDO Alliance and using other approaches that replace passwords with secure forms of authentication.

As we celebrate World Password Day this year, let’s take a look at the password recommendations we often read or even give ourselves and think about why in many ways it’s poor guidance:

  • Use longer and stronger passwords or passphrases.

Security experts base this recommendation on the false assumption that adversaries obtain passwords by cracking those that have been encrypted or making it more difficult to pull off via brute force or credential stuffing attacks. Today, attackers buy previously stolen passwords and there are literally billions of credentials for sale in open and underground forums. Some passwords are obtained by cracking databases, and yes, longer passwords can help a little. But passwords are often stolen from databases that are poorly encrypted, where password length and strength requirements—special characters, upper/lowercase letters, and numbers—simply don’t matter. More importantly, adversaries use a range of phishing attacks to steal passwords while they are unencrypted and “in the clear.” Malware phishing kits don’t care whether passwords are four or four thousand characters long and they have special characters. It’s not like these tools size passwords up and decide that a long password would just be too much effort. It will happily steal them either way.

  • Don’t reuse the same password across multiple apps or websites.

This often tops the list of steps that consumers and employees can take to marginally improve their own personal security situation or help protect company assets. But it’s not even close to a solution. Given the phishing techniques noted above, these unique passwords can and are routinely stolen and reused. But also, let’s be realistic. Our friends, non-technical family members, and colleagues often have dozens of passwords, and we technical types typically have hundreds of them. So this advice quickly runs into the limits of human memory.

  • Use a password manager.

Full disclosure, I have used a password manager for my personal passwords for the last decade. But it’s simply a “feel good” rather than a “real good” security solution. None of us can actually choose or remember the dozens or hundreds of passwords required to use unique passwords for every site. Unfortunately, phishing has become the go-to method of obtaining passwords, and our password managers will willingly autofill our forms and hand them over to the criminals. And password managers—protected by yet another password—are routinely hacked so this model just concentrates our risk.

  • Use 2FA/MFA.

An easily phished password combined with another phishable factor like a one-time password or a magic link sent over insecure channels like SMS or email does not even present a speed bump for adversaries at this point. And push notifications are easily bypassed with social engineering and other reverse proxy techniques. The U.S. government recently warned that all these 2FA/MFA techniques are easily bypassed “at scale” by adversaries. There are literally free/open-source kits available that make this patently simple. Here’s some more information about why the U.S. government has required phishing-resistant MFA.

So on this combined Cinco de Mayo and World Password Day, I encourage all of us to raise our cervezas and commit to eliminating passwords, and all easily phishable authentication factors. We can and should eliminate the risks they impose on our customers and our companies. Let’s stop kicking the can down the road, get this passwordless party started, and make real progress this year. Friends, family, and colleagues will thank us.

Patrick McBride, chief marketing officer, Beyond Identity

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.