Cyber security experts reveal the most common password misconceptions

It’s time to rethink everything you know about passwords. Using a mixture of upper, and lower-case letters, aways including numbers and symbols, and never writing your passwords down might sound like common-sense advice. However, cyber security experts are saying that many common beliefs around password creation fuel the very problems they aim to solve.

“Current ‘password rules’ ignore the realities of human behaviour, and drive people towards practices that play into the hands of hackers,” says Anthony Green, Chief Technology Officer at cyber security firm FoxTech.

“People are not robots, and users almost always prioritise ease of use over security concerns. Using and creating passwords has become an almost constant activity in our daily life. We are required to make accounts each time we use a new service, try a new activity, complete a purchase, or even order in a restaurant. A person’s memory – and patience – has its limits. When juggling so many passwords, it’s not surprising that users are forced to create strategies that help them navigate their huge numbers of accounts more easily.”

So, what is the most common problem?

“The biggest issue is password reuse – where people use the same password, or variations of it, for all their online accounts. If a hacker gains access to one password – whether that’s through automated password spraying, a phishing attack, or even purchasing it on the dark web – it puts all your sensitive data at risk.

“Most users already know that this is an issue – but they still don’t change their behaviour. Only someone with a supernatural memory could follow the current rules without having to click ‘I forgot my password’ on each new sign-in. So, it’s clear that something needs to change.”

What pieces of advice are missing the mark? FoxTech reveals the top three password misconceptions, and what users should do instead:

Misconception #1: ‘You should never write your passwords down’

Anthony comments:

“The rationale behind this advice was that, if anyone found your list of passwords, they would use it to access all your accounts, so memorising them was the safest option. While this might have been useful advice 20 years ago, when most people had a limited number of accounts, it’s not so useful today. If it’s a choice between keeping a physical record of all your login details, and using the same password for everything, then keeping physical records is far preferable.

The solution: Write your passwords down!

“Of course, there is still a risk associated with keeping a record of your passwords, but if physical records get lost or stolen, you will know that it has happened, and can immediately change your passwords. If a hacker finds out your login details online, it’s likely that they will access you accounts before you even realise that your passwords were stolen.

“If you can, commit your most important passwords to memory, such as online banking logins.”

Misconception #2: ‘Complexity requirements make it hard for hackers to guess your password’

“Complexity requirements are not necessarily making your passwords safer,” says Anthony.

“Most services have similar complexity requirements, and hackers know that most people respond to those requirements in a predictable way, such as adding an exclamation mark to the end of a word or making the first letter upper case. These requirements also drive password reuse, because the more complex a password has to be, the harder it is to remember. So, users just create one password that fulfils most requirements, and use it again and again.

The solution: Use ‘Three Random Words’

“The National Cyber Security Centre campaign, Three Random Words, advises people to create passwords from a string of three unrelated words, such as glasscattree or plantbluewheel. This strikes the balance between creating a password that is random and secure enough to keep cyber criminals at bay, but also easy to remember.

“Of course, this isn’t always possible when so many services demand certain complexity requirements, so companies that require users to create passwords should recognise the need for change, and make it easier for their customers to build better password habits.”

Misconception #3: ‘Regular password updates throw hackers off the scent’

Many workplaces and schools require regular password updates – asking users to create a new password to access their device after a period of time has passed. However, Anthony states that this does little to aid security.

“Organisations that do this have a much larger volume of password data stored in their servers, and it can become hard to keep track of what data you have. Password databases can easily become lost, forgotten and insecure.

“If hackers gain access to a legacy password database, they can easily use old passwords as clues to guess current passwords – especially as most people simply use the same password each time, adding rising digits to the end. So Password1 changes to Password2.”

The solution: disable password updates and replace them with two-factor authentication

“Unless you can ensure that users will create an entirely new password each time, it’s better to disable password updates completely.

“Instead, install two-factor authentication (2FA). It adds an extra layer of security to your online accounts, meaning that even if your account passwords are compromised, a cyber criminal won’t be able to breach an account without access to a linked device. While employees might view 2FA as a frustrating additional step to sign-in, it really is one of the most effective ways of preventing a password breach. You can enable 2FA for free on Microsoft accounts, Google accounts, and Apple products.”