First, let’s begin taking look backwards.
The history of passwords
Years ago the prevailing wisdom held that a password must be:
- Changed often (ideally every 30 days but at least every 90 days)
- Be at least 8 characters
- Contain upper and lower case letters, as well as numbers, and also punctuation or special symbols
- Cannot be the same as any of the last few passwords (e.g. the last 8 or ideally even more)
- Must not be written down
- Must not be re-used on any other system
To enforce the latter, systems would be configured to both:
- Remember the last several passwords (to prevent user from re-using them), and
- Block the user from changing their password more than once every few days
The latter was put in specifically to prevent the user from changing their password back to a password they had before by simply making several password changes in a row to beat the “must not re-use the previous several passwords” rule.
If that sounds like a case of security team fighting against the users, that’s because it is, and it led to poor security outcomes.
What happened as a result of the password requirements
As can be expected, it’s not the users’ job to think up random-looking passwords, and we are terrible at it.
The combination of “must not write anything down” and “create complex password” plus “do not reuse password anywhere” create a conflict that leads to one or more requirements being dropped.
So we ended up with either:
- Users try to make a password that is so complex they can’t remember it and they write it down
- Users do not write down their passwords and make easy to remember “Snowball01$” or the infamous Microsoft default password of “P@$$w0rd”
- The requirement that a password mustn’t be re-used elsewhere is unenforceable and because users were told to never write passwords down, the outcome was that passwords were re-used
An additional outcome was a system where the user couldn’t contact a system administrator for a password reset typically allowed the users to recover their password via knowledge of “secret questions”, which in the age of Facebook and LinkedIn turned out to be reasonably easy to find answers to.
Passwords in the modern age
In 2017, new password guidance was published by National Institute of Standards (NIST), a part of the U.S. Department of Commerce.
Microsoft quickly released their own password guidance which mostly echoed the NIST recommendations.
To sum up, passwords should have:
- No scheduled changes, but should be changed after a suspected breach
- No composition requirements, but any characters should be allowed; however passwords known to have been leaked should be prevented from being used.
- Length is encouraged and systems should allow at least 64 characters
- Allow the use of paste in password fields
Additionally, “secret questions” should not be used, neither should SMS verification, nor password hints.
While NIST guidance is a few years old now, it is still a radical change from how passwords were expected to be used, and it may not be feasible to accept all of their recommendations if your business has compliance requirements that are in conflict with the NIST guidance.
Current best practice is the use of password managers.
This is enabled by the NIST recommendation of allowing the use of paste in password fields.
Use of password managers goes directly against the established idea of never writing the password anywhere.
However, using a password manager enables the user to:
- Have a unique password on every system
- Have a very strong password on every system
A password managers combines:
- A database of sites with associated logins and passwords
- Browser extension to integrate automatic filling-in of login forms
- Integrated update of its database when you change or add a site
- Integrated cloud sync (usually the data is stored in the cloud and is encrypted, and only accessible to the user with the master password).
The password manager allows the user to generate a unique strong password of any length for every new system, and the user is not required to remember them.
All the user needs to remember is one single strong password (and, whenever possible, use multi factor authentication).
Considering that it’s common to have dozens if not hundreds of passwords associated with one user, the security improvement is excellent, as is the user experience.
Another notable feature is that most password managers include online sync so you have access to all your accounts on your laptop, phone and your other devices. As most users use multiple devices this feature is essential.
To sum up the typical features, using a password manager allows you to:
- Easily store new accounts and passwords, as well as which site they are for
- Easily generate unique long secure passwords and store them
- Easily change existing password and save the new password
- Automatically sync to the cloud, making your accounts accessible on all your devices
Best Password Managers
There are multiple reputable password managers, and what’s best varies depending on your use case.
As a “Top 5” guide, consider one of the below, and see if it works for your needs.
Extremely popular, and the app works on multiple mobile and desktop platforms. 1Password starts from $3/month for an individual, and has a business offering as well. Get 1Password.
Almost as popular, and doesn’t even need a desktop app – only browser extension. LastPass is priced similarly and also offers a business tier service. LastPass has recently made a free tier available for individuals. Get LastPass.
Bitwarden, a new contender, offers a mobile app and desktop client like others, however it also offers free individual and family tiers, and its paid options are generally cheaper. Bitwarden’s code is open so more technical users can host the service themselves. Get Bitwarden.
Apple iCloud Keychain
Already built-in to Macs and iOS devices, if you only use Apple, this may work well. (Already built-in)
This is a pure desktop application for one user (though a mobile app is available), and sync is done via external tools; this is an option for the users that want fine control over when and how their data is synchronised and want to have all their passwords available offline at all times. Get KeePassXC.
Final Thoughts on Passwords
If at all possible – use a password manager.
It allows you to easily have unique passwords on every system so that when one site is breached, none of your other accounts are, and it means you don’t have to remember a separate password for every site, either.
Business-tier password managers allow for easy password management within a team and streamline password changes when a staff member leaves and allow easy access provision for new staff members.