Security researchers are now saying that the length, strength, and complexity of passwords are inconsequential.
For years now tech sites have been doling out the same password tips including using long and complex passwords. The shame of it is that all this advice over many years has had little to no effect on how your average home user chooses their passwords. In what can only be described as a complete about-face, the current consensus among security researchers is that, in the real world, how strong, long, or complex a password is almost always never matters.
Full disclosure: Portions of this article are based on this Malwarebytes blog article
The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it’s so common for people to reuse the same password in two places and it is completely unaffected by password strength. The next most common attack is password spraying, where criminals use short lists of very simple passwords on as many computers as possible. In both situations, a laughably simple but unique password is good enough to defeat the attack.
There are rare types of attack – offline password guessing – where a strong password might help, but the trade-off is that strong passwords are far harder for people to remember, which leads them to use the same password for everything, which makes them much more vulnerable to credential stuffing ~ <source>
Of course, password managers represent a valid solution but the reality is that despite all the years of favorable reviews and recommendations, most of your average home users are still not using them. So what’s the answer?
- You also might like: How To Stop Email Scams
Two-Factor Authentication (2FA)
I’ll begin by quoting an excerpt from a 2019 article written by Microsoft’s Alex Weinert, who says… “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA“.
Alex calls it MFA (multi-factor authentication), and Google calls it 2SV (two-step verification), but they all mean the exact same thing – proving your identity via more than one means.
A password is always required, of course, plus a secondary means of identification, which is generally in the form of a unique 6-digit code sent to your phone. Now, when I’ve recommended 2FA in the past, I’ve almost always received a comment from someone who is skeptical about giving out their mobile phone number, and I cannot say I blame them. However, I set up 2FA (via my mobile phone number) on multiple accounts some time ago and have NEVER received any sort of spam or unwanted messages/calls. The only time I ever hear from those accounts is when I sign in and 2FA comes into play.
My mobile phone is always in my possession and access is protected, so it is, in my opinion, an extremely safe method of ensuring that my accounts cannot be accessed by anyone else. I have always been reluctant to use the phone or my iPad for financial transactions but with 2FA in place, I have no such qualms. If I make a payment through PayPal, for example, I will be prompted to proceed by inputting a verification code. I am happy to comply, safe in the knowledge that regardless of how secure the connection might be, only I can receive and enter that code.
Apparently, May 4th was World Password Day, something I was not aware of. However, if you do nothing else this year, please consider setting up 2FA on as many accounts as possible and as soon as possible. 2FA, MFA, 2SV, whatever they want to call it, is absolutely the very best method for protecting your accounts, way more effective than a password alone, regardless of its strength or complexity.
Some accounts offer 2FA as optional, others not at all but in my humble opinion, 2FA should be a mandatory requirement for all online accounts.
- Read the Malwarebytes blog article in full: The one and only password tip you need
- Read Alex Weinert’s revealing article in full: Your Pa$$word Doesn’t Matter