Stop blaming users for choosing weak passwords
Educating users is not enough, websites should help users to create strong passwords
Often I read articles like this, in which people are shamed because of the weak passwords they use and often reuse across different websites. Year after year the most common passwords, found in millions of breached records, are terrible.
Why do people keep using such weak passwords?
Blaming and shaming users doesn’t help them to create stronger passwords. Luckily we see that more and more effort is done to create awareness about password security. Even non-tech, mainstream media advice users about secure password management practices.
Unfortunately this is insufficient to solve the problem. Despite all efforts, the list of poor passwords is virtually unchanged for years. The number of people that really improve their password security habits is still very small.
But why is that? Simply because we keep focusing on fixing the “human weakness”. And that’s wrong. We need to accept that only a fraction of people is concerned about security and that most people just see a password as an obstacle to use a particular website. They will do the bare minimum to fulfill the password requirements imposed by a site.
This large group of non-security savvy users must be helped. Some websites already offer additional layers of user account protection, for instance two-factor authentication (2FA). But activating security measures like 2FA only offers additional protection for an account on a particular website. It doesn’t protect users against (re)using weak passwords.
As long as most websites don’t support users in creating strong passwords, we will keep seeing these lists of poor passwords and nothing will change fundamentally.
Implement password security best practices
There are still many websites that allow weak passwords. A lot of them use password complexity requirements introduced in 2003 by NIST, the US National Institute of Standards and Technology. Typically it’s something like: at least one number, one special character, one small and one capital letter. Which makes “P@ssword1” a valid password. It’s obvious that these practices are outdated and last year they were updated by NIST after the original author regretted his advice. What we also often see is that a maximum password length and an insufficient minimum length are imposed.
It’s about time that more websites implement at least the following current password best practices as defined by NIST:
Allow at least 64 characters to support the use of passphrases.
Don’t impose password complexity rules.
Check passwords against a list of commonly-used, expected, or compromised passwords.
The first 2 points don’t need further explanation, the third one might seem a bit harder to realize at first sight. However, Troy Hunt provides a list of 517,238,891 breached passwords to check against.
It’s necessary that we keep educating users about password management best practices. But it’s not sufficient, the authentication processes on websites should enforce users to choose strong passwords.
It’s only when more websites and apps guide users in choosing strong passwords that we will see real progress.