Randomly generated long passwords, different for every account, should be the bare minimum these days.
Randomly generated phrases with separators, punctuation, and numbers, appear to be the strongest (and easier to type out if you are reading it off a password manager not on the same device). Just a random generated string is actually quite easy for a computer script to brute force, but so much of a pain in the ass for the user! LOL
Length is usually better than complexity!
For example, Bitwarden’s password strength test tool says this password would only take 3 years to crack (using today’s technology): s#y7s8a63@22
While this one would take centuries: this-is-way-stronger
Which one you would want to enter into your TV set when you have to log into a streaming video service? 😂
Sure you can blame the user for their failure, but your systems will be less secure because of all your users who are not doing what they are supposed to. So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
Something you know isn’t the best method to verify identity anyways; as evidenced, it is easy for someone else to learn that information. Using something the user possesses is a much better choice as the user is more likely to be aware of a loss of the object and report the security incident.
So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
In most areas, I would agree that the latter would be the best approach, with nuance*
However, in the security space, I would argue that you should implement practices based on the threat model, and the importance of the data being protected.
Should a user be rotating passwords on a website they use to check the weather? Probably not.
For a banking site? I would, and enable 2FA if it already isn’t. 2FA, I would also argue, is more of a PITA for users than picking a strong password via their password manager.
We already see harmful example of suggestions being offered, not because the facts support it, but because “it’s easier for the user to follow”.
For instance, health authorities tell people to get 150 minutes of activity per week, despite the clear evidence that more than that would be better for optimal health.
Why do they do this? Because suggesting the true amount of exercise needed causes an aversion… the opposite effect.
So, I can see how we might ask users to only do the bare minimum, or else risk complete noncompliance with best practices. But the reality is, it only takes a very minimal amount of effort to secure our data, so we should encourage users to actually follow best practices (as it relates to their threat model).
That’s a user problem, though.
Randomly generated phrases with separators, punctuation, and numbers, appear to be the strongest (and easier to type out if you are reading it off a password manager not on the same device). Just a random generated string is actually quite easy for a computer script to brute force, but so much of a pain in the ass for the user! LOL
Length is usually better than complexity!
For example, Bitwarden’s password strength test tool says this password would only take 3 years to crack (using today’s technology): s#y7s8a63@22
While this one would take centuries: this-is-way-stronger
Which one you would want to enter into your TV set when you have to log into a streaming video service? 😂
Sure you can blame the user for their failure, but your systems will be less secure because of all your users who are not doing what they are supposed to. So then you have to decide, do we punish these users for their bad password practices or do we implement different practices that are more likely to be followed.
Something you know isn’t the best method to verify identity anyways; as evidenced, it is easy for someone else to learn that information. Using something the user possesses is a much better choice as the user is more likely to be aware of a loss of the object and report the security incident.
In most areas, I would agree that the latter would be the best approach, with nuance*
However, in the security space, I would argue that you should implement practices based on the threat model, and the importance of the data being protected.
Should a user be rotating passwords on a website they use to check the weather? Probably not.
For a banking site? I would, and enable 2FA if it already isn’t. 2FA, I would also argue, is more of a PITA for users than picking a strong password via their password manager.
For instance, health authorities tell people to get 150 minutes of activity per week, despite the clear evidence that more than that would be better for optimal health.
Why do they do this? Because suggesting the true amount of exercise needed causes an aversion… the opposite effect.
So, I can see how we might ask users to only do the bare minimum, or else risk complete noncompliance with best practices. But the reality is, it only takes a very minimal amount of effort to secure our data, so we should encourage users to actually follow best practices (as it relates to their threat model).