We talk about what was good enough 20 years ago, isn't good enough today. It's amazing when you think about it and no doubt, soon enough we'll be saying "What was good enough 3 years go, isn't good enough for today!"
Things are evolving exponentially faster today. The technology that allows the attackers to crack PWs is evolving at light speed compared to 20 years ago.
I feel that MFA will become the base standard for authentication and access control within the next few years. If you don't have it, you'll be considered way behind and COMPLETELY vulnerable to brute force attack.
I think the battle is to try and walk the familiar line between ease of use versus security. I agree the overly complicated NIST requirements and the horrible password practices that it spawned were actually detrimental to good password practices. It has to be at least 14 characters long, 1 from each group, no character repeated more than twice in a row, not a common dictionary word or a L33T version of said words, AND don't write it down. Oh yeah, have another one ready to go in 90 days because we are going to make you change it and it can't be any of the last 10 really difficult but easy to remember passwords that you came up with.
I write my passwords down in a big book. WHAT? You say?
I reuse passwords? Again you may be shaking your head saying that I am violating all of the "good" password rules we learned while preparing for the CISSP. But here's my catch:
If you got a hold of my book you would not be able to log in with any of them without cracking my code. Basically it is more of a password hint book. When I reuse my passwords I do it because I group like minded accounts together. i.e. all of my learning/training accounts use the same password so if you were able to crack my code you would only gain access to my learning accounts. And the passwords for my financial accounts are way different (and I do not reuse a password for the important accounts or vary them enough that you would lock them out before guessing). Each email address has a different password. My password reset requests are sent to my phone and a back up email address.
We have got to find ways to help people come up with more secure methods for using passwords while at the same time making it easier for them. I like the example showing how using a simple phrase can make it harder for the attackers to crack but easier for the user to remember. I am a big believer in using Hidden in plain sight passwords. Got a favorite phrase on a sign in your office? "Those Who Do Not Remember History Are Doomed To Repeat It. - Albert Einstein. 1947." = TWDNRHADTRI-ae1947 that would be pretty hard for a machine to crack but right where the person using the computer could see it or remember it. (And please do not assume that that was a correct quote and attributed to the correct person and timeframe, I just made it up to provide an example.) Teach the users how to make it simpler and easier for them. Also educate on how a hacker would compromise their accounts. Go through the process they would use. Show them the vulnerable points in their thought process around passwords. Show them how answering a seemingly innocent quiz/survey on Facebook of "what kind of Princess are you?" could be getting them to disclose the answers to the security questions on their verification process for password resets. (i.e. what is your favorite color?, etc)
The answer lies in education. If you are not involved in your new employee education process at work, get involved. Ensure what the new employees are given is timely and useful. If you hear misinformation being given out at family gatherings, speak up and educate them.
I use a password safe myself. Bare in mind this approach has some pros/cons also.
The good part:
1) Human Memory: I can track 200 unique passwords in a single spot. I really only have to remember the password to get in to the password safe.
2) Password Generators: I can have the safe automatically generate random passphrases of appropriate length that also fit the varying complexity requirements for each account.
3) Personal Dictionary: As sites get different passwords, an attacker can use my cracked passwords as a personal dictionary attack to try to crack sites with better security using my password patterns from sites with weak securty.
The items to watch:
A) Encryption Strength of the Password Safe: AES 256 or better is recommended.
B) The Password of the Password Safe needs to be really, really, really, strong. It protects all other accounts you have access to. It should actually be no less strong than any account with the safe.
C) Password Capture: the system where the password safe resides is the gold mine for a key logger or protected memory capture in clear text of the password for the password safe. Tripple up on system hardening of the system with the password safe. Information Security operations are finding hacked smart phones of systems administrators where the password safe was downloaded and password captured usually by a key logger.
D) Automatic password entry into a website, tool for a reduced sign-on experience means that the browser cache is a prime target for capturing passwords.
Recommendations for safer uses of Password Safes or Encrypted Drives with vital data files:
1) Never, Ever store the password for a password safe in a Key Chain, Browser Cache, etc. MEMORIZE the beastly password.
2) Use Physical Security to protect the sysem with a password safe. An dual mode attack could seek physical accesss to the system to download a copy and then off site submit the safe to cracking efforts. The physical security measures should be aimed to give you a tip-off that this has happened so the safe contents and safe password can be changed faster than the crack can succeed.
3) The password is not an excuse to relax on password strength: complexity, length or uniqueness per site. If 74% of users have the same password for their online banking as they use of other sites -- like facebook -- then all the attacker needs to do is hack facebook then guess your bank. Your safe will not help you protect passwords from hacks of weaker websites. Use the safe to your advantage and be unique per site.
4) Go long even if the password is randomly generated. Pre-computed rainbow tables can still crack passwords whether they are in your safe or not. One digit longer than an attackers rainbow table saves the day.
@arctificThe Point with the password safe is you cut the numbe rof passwords you have to remeber down to 1 (the vault password) which you can then choose carefully and make as complex as you like.
most of my previous comments were paraphrasing the latest advice from the UK NCSC, and my favourite password activist Troy Hunt, but its clear to see we have basically created a system where people are forced to create passwords that are hard for humans to handle and just as easy for computers to guess, leading to work-arounds with passwords like P45sw0rd101! which are in most crackers first tranche of tries, but password strenght meters call them secure.
The simple plan is:
Dispose of complexity and increase minimum length (more chars increases combinations x^n more options is only nx)
encourage the use of password vaults
only enforce password change on indication of breach
dis-allow known or common passwords
Troys post ties it all together:
Password strength re-imagined