Blog post

Even Jedi can't achieve Password Perfection

Created:  03 May 2017
Updated:  03 May 2017
Author:  Emma W
Star Wars password joke

World Password Day arrives again on May 4th - an auspicious date, in so many respects. These are not the passwords you're looking for.

We all have loads of passwords to cope with, at work and at home, and most of us struggle to keep on top of them. The problem is, we tend to resort to well-known coping strategies to get by, and these coping strategies can make it easier for attackers to steal our passwords.

If you've slid into one too many bad habits with your passwords over time, as a user, then World Password Day might be a good opportunity to have a bit of a spring-clean and get things in better shape again.

 

And is good user behaviour on passwords enough?

No. Successful password management is a problem that we, as a security community, can't solve just by telling users to do good things.

How do I know this?

Well, I was one of the lead authors on the NCSC Password Guidance, which is now over 18 months old. This means I've lived and breathed passwords for around the last three years.

I've done many hours of reading and research on passwords.

I've had innumerable conversations with my fellow experts, in the NCSC and beyond, and many other people who know and care about passwords.

I know how passwords are commonly attacked. I know what defences we can employ against those attacks - including their merits and drawbacks.

I know the ways people tend to handle and think about passwords. And personally, I've used passwords myself for over twenty years.

I've seen things you people wouldn't believe. And in general, I don't think I could have thought about passwords any more than I've done in the last three years.

And even I still struggle to manage my passwords.

And I still occasionally resort to sub-optimal coping strategies - because frankly, sometimes it's the only way to get through life.

I like telling people this. Because it usually shocks them, and it helps them realise that there is simply no 'sweet spot' of user education, awareness and training (or even punishments), that would result in everyone managing their passwords perfectly. If there was such a state - let's call it 'Password Perfection' - I would be in it. And I'm not. Because...I'm still human.

When it comes to passwords I have more technical skill, knowledge and motivation than most. So even if I could achieve Password Perfection, not all users could. We expect our users to get more adept at this stuff. But that's not going to happen for everyone in the next few years. We have to deal with people as they are now, and develop solutions that work for them as they are.

 

So what IS the answer?

The answer is to focus more on supporting users to do the right things, rather than just telling them what to do. Too often, telling users to do things slides too easily into blaming them when they get things wrong. And we all know there is far more to protecting our systems and data, than relying on what users alone are able to accomplish with their passwords.

We can do most of the security heavy lifting well away from users - with good system design, robust technical defences, and the full range of up-to-date authentication technologies and methods. We can then:

  • rely less on user passwords to protect our systems and data
  • minimise the number of passwords users need
  • support the use of more memorable passwords, by doing away with unhelpful complexity requirements and rotation policies
  • enable the use of password managers

 

How can I do all this?

Look at the NCSC's suite of guidance on passwords for help.

Emma W

People-Centred Security Lead, Sociotechnical Security Group, NCSC

 

3 comments

Alisdair McKenzie - 18 May 2017
Hi Emma,

I enjoyed the material in the "Guidance on Passwords", very useful and well structured. I subscribe to the thought that as our people are often our 1st and last line of defence, we must do all we can to ensure they are fully equipped for this task. This means our security measures must fit as seamlessly into their work flow activity as possible.

In your password creation work have seen any good examples of guidance to users on how to create robust, strong passwords. I think it should be no more than 1 page, preferably half.

Cheers

McK
Emma W - 18 May 2017
Thanks for your comment, McK. You might want to take a look at Ian M’s blog post about password creation: https://www.ncsc.gov.uk/blog-post/three-random-words-or-thinkrandom-0
Alex Rukundo - 04 May 2018
Love the frankness and humanness of the article. It's so authentic, real and couldn't have captured both the joy and frustrations we all go through remembering or managing passwords for so many things in our lives.

How ironic that just a few years ago we literally didn't need passwords for this many things.

Soon we will need passwords to eat food in our own houses!

What I think we've seen trend lately is biometric-type passwords and the more these become the new normal in everyday societal things, the easier it will become vs generating user-keys or actual alpha-numeric passwords.

Whether it is looking onto your Credit Card to activate a payment, touching your phone to open it or flashing your hand to open a door or simply sitting at your desk and talking to your machine to activate- these gestures are not far-fetched, they may be much easier solutions to the current nightmare.

Leave a comment

Was this blog post helpful?

We need your feedback to improve this content.

Yes No