What?? My takeaway is that your password matters quite a lot, you need to use a password manager to generate strong, unique passwords, and turn on MFA everywhere you can. Not “your passwords don’t matter”
Check out the table. I believe the bottom line is, that length and symbols and all those restrictions don't add any security because the relevant threats are not password probing.
Password cycling studies show that it generally weakens passwords and only increases the likelihood that fallible human beings recycle the same (variations of) passwords across multiple services.
About all this article shows that is the only "complexity" test that matters is that a password shouldn't be in the Top X most used passwords, and X may be as low as 10 (much less the thousands you can easily check with Pwned Passwords) if you are attempting (distributed) password spray detection in your login systems, MFA, etc.
> Your password doesn’t matter except for password spray (avoid the top guessed passwords with a dictionary checker of some kind) or brute force (use more than 8 characters, or use a password manager if you are really nervous). That’s not to say your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or re-used.
To be charitable to the article: people who are not security-minded often make password decisions that "don't matter". You advise your grandpa to do better than "password" and he might move to "Password1!". You advise him to not reuse passwords...and that's really hard without a password manager, so he reuses passwords.
But yeah, your password choices very much matter and those choices can foil {credential stuffing, password spray, brute force}, which is admitted but downplayed in the article.
Considering that most people reading the article will be security-minded, a far better title would have been "Your Users' Password Choices Often Don't Matter".
While there's nothing new here, it's good to see some real numbers from a big organisation. It shifts the discussion about effectiveness from opinions to fact. Next time someone says 'no on does that' or 'costs way too much in practice' we can point to this.
You need a way to sync them on multiple computers, use them as a guest (eg when you've borrowed a machine temporarily), do recovery flows, manage their regeneration and rotation, generate unique certs per site, basically all the management hurts. As a web site, you also have to teach everyone in the world how they work, and who wants to be the first to do that?
One day WebAuthn might be usable for all the things. I want that to come soon but it is not here yet.
15 comments
[ 1172 ms ] story [ 919 ms ] threadContent: your password matters very much
What?? My takeaway is that your password matters quite a lot, you need to use a password manager to generate strong, unique passwords, and turn on MFA everywhere you can. Not “your passwords don’t matter”
although one that cycled passwords regularly would presumably do the trick.
Though the takeaway in the article is that you really only need to check Top X and Top X may be as low as 10 assuming other mitigations are in place.
About all this article shows that is the only "complexity" test that matters is that a password shouldn't be in the Top X most used passwords, and X may be as low as 10 (much less the thousands you can easily check with Pwned Passwords) if you are attempting (distributed) password spray detection in your login systems, MFA, etc.
> Your password doesn’t matter except for password spray (avoid the top guessed passwords with a dictionary checker of some kind) or brute force (use more than 8 characters, or use a password manager if you are really nervous). That’s not to say your password isn’t terrible. It’s definitely terrible, given the likelihood that it gets guessed, intercepted, phished, or re-used.
At the bottom of the article.
But yeah, your password choices very much matter and those choices can foil {credential stuffing, password spray, brute force}, which is admitted but downplayed in the article.
Considering that most people reading the article will be security-minded, a far better title would have been "Your Users' Password Choices Often Don't Matter".
One day WebAuthn might be usable for all the things. I want that to come soon but it is not here yet.
Are there any notable exceptions, where attackers don't have the db, but can probe pretty quickly?