Security researchers are now saying that the length, strength, and complexity of passwords are inconsequential.
For years now tech sites have been doling out the same password tips including using long and complex passwords. The shame of it is that all this advice over many years has had little to no effect on how your average home user chooses their passwords. In what can only be described as a complete about-face, the current consensus among security researchers is that, in the real world, how strong, long, or complex a password is almost always never matters.
Full disclosure: Portions of this article are based on this Malwarebytes blog article
The most common type of password attack is credential stuffing, which uses passwords stolen in data breaches. It works because it’s so common for people to reuse the same password in two places and it is completely unaffected by password strength. The next most common attack is password spraying, where criminals use short lists of very simple passwords on as many computers as possible. In both situations, a laughably simple but unique password is good enough to defeat the attack.
There are rare types of attack – offline password guessing – where a strong password might help, but the trade-off is that strong passwords are far harder for people to remember, which leads them to use the same password for everything, which makes them much more vulnerable to credential stuffing ~ <source>
Of course, password managers represent a valid solution but the reality is that despite all the years of favorable reviews and recommendations, most of your average home users are still not using them. So what’s the answer?
- You also might like: How To Stop Email Scams
Two-Factor Authentication (2FA)
I’ll begin by quoting an excerpt from a 2019 article written by Microsoft’s Alex Weinert, who says… “Based on our studies, your account is more than 99.9% less likely to be compromised if you use MFA“.
Alex calls it MFA (multi-factor authentication), and Google calls it 2SV (two-step verification), but they all mean the exact same thing – proving your identity via more than one means.
A password is always required, of course, plus a secondary means of identification, which is generally in the form of a unique 6-digit code sent to your phone. Now, when I’ve recommended 2FA in the past, I’ve almost always received a comment from someone who is skeptical about giving out their mobile phone number, and I cannot say I blame them. However, I set up 2FA (via my mobile phone number) on multiple accounts some time ago and have NEVER received any sort of spam or unwanted messages/calls. The only time I ever hear from those accounts is when I sign in and 2FA comes into play.
My mobile phone is always in my possession and access is protected, so it is, in my opinion, an extremely safe method of ensuring that my accounts cannot be accessed by anyone else. I have always been reluctant to use the phone or my iPad for financial transactions but with 2FA in place, I have no such qualms. If I make a payment through PayPal, for example, I will be prompted to proceed by inputting a verification code. I am happy to comply, safe in the knowledge that regardless of how secure the connection might be, only I can receive and enter that code.
BOTTOM LINE:
Apparently, May 4th was World Password Day, something I was not aware of. However, if you do nothing else this year, please consider setting up 2FA on as many accounts as possible and as soon as possible. 2FA, MFA, 2SV, whatever they want to call it, is absolutely the very best method for protecting your accounts, way more effective than a password alone, regardless of its strength or complexity.
Some accounts offer 2FA as optional, others not at all but in my humble opinion, 2FA should be a mandatory requirement for all online accounts.
- Read the Malwarebytes blog article in full: The one and only password tip you need
- Read Alex Weinert’s revealing article in full: Your Pa$$word Doesn’t Matter
—
what if you do not own or use a DAMN CELL PHONE?
It’s a great point. I actually had to buy a cell phone because of 2 factor authentications needed for all my banking and more.
Yes, good point. Some accounts do allow for an email address to act as the secondary method for verification.
Jim,
I am all for dual layers of authentication. My only wish is if I use my computer (or other device) to connect to a site once and go through the 2 tier authentication that my device then gets accredited as a safe device and I only require a single layer of authentication going forward while using this device.
My experience is just the opposite.
Hey Tom,
I’m hearing you mate. However, if a device is “trusted”, in the sense that the second part of 2FA becomes unnecessary, it sort of defeats the purpose.
Interesting article as always Jim. It is frustrating to have 2 factor authentication for virtually every site these days but I understand its importance. My problem is that there are situations with google for example where I haven’t yet figured out how to change the second factor if I no longer use that device. As an example, if I go to on a trip and try to access my email, google sends a verification text to a an android device that is non functional. I’ve tried many times and am unable to change the device registered with google. As a result the only time I can access the gmail that subscribes to Dave’s Computer Tips is if I’m at my home. It’s been the same for banks where I need to wait long times on the phone to change the second factor device.
Hey Lucio,
After reading your comment I dug down through the Google account options and, although it is a somewhat convoluted process, you can change the phone number and even add an additional phone number.
Hi Jim: I’m impressed that you were able to find a solution for my Google account aggravation. When you have time, I’d appreciate you letting me know where this area would be that can be changed on Google. I’ve tried the help sections that supposedly allow me to cancel what I had previously as a trusted device and it did not work according to their instructions. Thanks. Lucio
1) Go to your Google account- click on your profile icon (mine is a little blue circle with a J in the middle) and then click “Manage your Google Account”
2) Next, from the menu on the left-hand side of the page click “Security”
3) Now you should see the options under “How you sign in to Google”, including “2-Step Verification Phones” and “Recovery Phone”. Expand those items to make your changes
Thank you Jim. That helped but weirdly it does not allow me to remove the obsolete apps that no longer work. Appreciate your reply.
We use a dedicated computer for our banking through the Safe mode of Kaspersky. All the banks and credit companies we access implemented the 2FA some time ago. The second verification has options to send codes to email, home phone or mobile. One company keeps asking if we trust the device? I was initially disturbed with the extra layer, but released it is an imposed security feature, Mindblower!