We all have loads of passwords to cope with, at work and at home, and most of us struggle to keep on top of them. The problem is, we tend to resort to well-known coping strategies to get by, and these coping strategies can make it easier for attackers to steal our passwords.
If you've slid into one too many bad habits with your passwords over time, as a user, then World Password Day might be a good opportunity to have a bit of a spring-clean and get things in better shape again.
And is good user behaviour on passwords enough?
No. Successful password management is a problem that we, as a security community, can't solve just by telling users to do good things.
How do I know this?
Well, I was one of the lead authors on the NCSC Password Guidance, which is now over 18 months old. This means I've lived and breathed passwords for around the last three years.
I've done many hours of reading and research on passwords.
I've had innumerable conversations with my fellow experts, in the NCSC and beyond, and many other people who know and care about passwords.
I know how passwords are commonly attacked. I know what defences we can employ against those attacks - including their merits and drawbacks.
I know the ways people tend to handle and think about passwords. And personally, I've used passwords myself for over twenty years.
I've seen things you people wouldn't believe. And in general, I don't think I could have thought about passwords any more than I've done in the last three years.
And even I still struggle to manage my passwords.
And I still occasionally resort to sub-optimal coping strategies - because frankly, sometimes it's the only way to get through life.
I like telling people this. Because it usually shocks them, and it helps them realise that there is simply no 'sweet spot' of user education, awareness and training (or even punishments), that would result in everyone managing their passwords perfectly. If there was such a state - let's call it 'Password Perfection' - I would be in it. And I'm not. Because...I'm still human.
When it comes to passwords I have more technical skill, knowledge and motivation than most. So even if I could achieve Password Perfection, not all users could. We expect our users to get more adept at this stuff. But that's not going to happen for everyone in the next few years. We have to deal with people as they are now, and develop solutions that work for them as they are.
So what IS the answer?
The answer is to focus more on supporting users to do the right things, rather than just telling them what to do. Too often, telling users to do things slides too easily into blaming them when they get things wrong. And we all know there is far more to protecting our systems and data, than relying on what users alone are able to accomplish with their passwords.
We can do most of the security heavy lifting well away from users - with good system design, robust technical defences, and the full range of up-to-date authentication technologies and methods. We can then:
- rely less on user passwords to protect our systems and data
- minimise the number of passwords users need
- support the use of more memorable passwords, by doing away with unhelpful complexity requirements and rotation policies
- enable the use of password managers
How can I do all this?
Look at the NCSC's suite of guidance on passwords for help.
People-Centred Security Lead, Sociotechnical Security Group, NCSC