The inconvenient truth about passwords

The inconvenient truth about passwords

Summary: Passwords are no longer that — words that allow passage. Last time I checked, words didn't contain random letters or symbols, but we continually treat passwords like they are still words for one reason: it's convenient. Convenience is the reason why passwords ultimately don't work, and why they'll continue to fail us.


commentary Passwords are no longer that — words that allow passage. Last time I checked, words didn't contain random letters or symbols, but we continually treat passwords like they are still words for one reason: it's convenient. Convenience is the reason why passwords ultimately don't work, and why they'll continue to fail us.

(Enter your password image by Marc Falardeau, CC BY 2.0)

Inconvenience makes people do strange things. Having to wait at traffic lights sees people run across the road, risking life and limb just to get somewhere a few seconds faster. People allow packages to be "hidden" on their doorstop rather than secured at a post office. And people intentionally break the law to instantly download movies or music that they wouldn't mind paying for.

Inconvenience is the reason why no one wants to comply with strict password-complexity policies, or follow a number of so-called best practices.

On paper, complexity policies appear to solve the problem of brute forcing passwords. They ensure that hackers have more combinations of characters that they will need to guess. It's effective if hackers are going through passwords by changing one character at a time, but most hackers don't.

In reality, most people respond to such complexity policies by taking their existing password and modifying it so that it meets the minimum requirement. This means that "password" becomes "Passw0rd!", or even "Passw0rd!Passw0rd!" to meet minimum length requirements.

Hackers are able to use the processing power of computers to run entire dictionaries of words against access systems. Lists of the most common words have even been developed to speed up the process. For that very reason alone, best practice dictates never using words as passwords, but this makes them horribly hard to remember unless some form of mnemonic is used, and even that is susceptible to being obtained through social engineering.

So if passwords aren't words, what are they? Ideally, they're completely random, long, have the largest variety of characters so as to make brute forcing them character by character a painstaking task, and have nothing that could be deducted through social engineering.

But that raises another question. If a password like "nF1HU;.N.YC^N`:HH9]rQt2^" doesn't have anything to do with the user, what is the point of asking them to select a password?

Historically, the reason for allowing users to pick passwords has been convenience. But what that means is that organisations across the globe, whether they realise it or not, have made the decision to trade security for convenience.

That convenience has cost us dearly.

I remember reading in horror (admittedly with a grin on my face at times) after the Sony PlayStation Network (PSN) hacks as people tried the passwords that had been leaked. Twitter abounded with people saying things like, "I just found a PayPal account with $50 in it!" or "Talking to this guy's girlfriend on Facebook. She has no idea". Users were finding out the hard way that using the same password across multiple sites was in some cases literally costing them.

If everyone stopped treating passwords like words and instead like the random, unrelated strings of characters that they're ideally meant to be, we would have an interesting turn of events.

Password uniqueness would be enforced. If your password was stored negligently and exposed on one service, it wouldn't necessarily mean that you were compromised on another. If someone wanted to break into your account, they would be left with no clues as to where to start, with the only option being to brute force their way in. It sounds like an ideal solution.

However, out of convenience, and there's that word again, people are going to have to find ways to store and manage their now unmemorable passwords. Where does this lead us? Passwords on post-it notes, or stored insecurely in browsers, which in some cases do little else than to store them in plaintext. We've done little but shift the problem elsewhere and possibly for the worse.

Optimistically, password managers like LastPass and Keepass may see greater use, but in their current state they aren't convenient enough for the average user, since they make mobile apps a pain to use and they require that their databases be accessible on whichever computer the user is trying to use.

Password managers are something I use, have grown used to and would recommend to anyone that is tech savvy. They are probably our best hope for what we're stuck with at the moment. But for the majority, the idea of pairing a data with a cloud-based storage services like Dropbox and setting up all their devices to run a compatible client is prohibitively complicated and not at all convenient for everyday use.

But even if everyone uses completely random passwords, adopts what is arguably the current best practice of using a secure password manager, manages to configure it and cope with the quirks that using it might entail, there's still one fatal flaw that can cause everything to unravel — that password manager still needs a password to open it. And out of convenience, there will still be those who pick a pretty poor one.

Topics: IT Priorities, Security

Michael Lee

About Michael Lee

A Sydney, Australia-based journalist, Michael Lee covers a gamut of news in the technology space including information security, state Government initiatives, and local startups.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Until web sites allow pass phrases as opposed to passwords (easier to remember and harder to crack) there's always password generators such as Deadbolt (

    This takes a memorable phrase and then turns it into a strong password using JavaScript.
  • I don't believe in passwords, only in OTP or WIM modules or smartcards.
    A new type of smartcard or SIM-card that can store few thousand certificates from various sites and sources - that would be nice. But it needs to be a major common standard, supported by governments (in IDs) or major trusted parties (Visa, MasterCard, Verisign) plus backed by Apple, Microsoft, Google. So far that's been too much to ask.
  • Unfortunately, passwords suffer from the same thing that every other security device/procedures do: the human element. In an ideal world, your password would be something that only you could possibly remember, but people's memories aren't that great and they resort to defaults like mother's maiden name, favourite character in a book/play/movie, date of birth and so on. The more savvier ones may do some letter substitution ("1" or "!" for "I", "5" or "$" for "S", etc), but the majority of us would just stick with plain passwords. It's like leaving your PIN, written on paper, in your wallet next to your ATM card.

    Of course, the less people know about you, the less chance of someone stumbling upon your password (security through obscurity), but this is just a false solution at best. Of course, smart cards can do the trick (especially if you can set it up so that a password is used once, dropped at logon, and re-written with a new password for the next logon), but this is a massively costly solution for all but the bigger corporations and governments.
  • Brute Force

    You have it back to front the question should be:

    "Why is someone being allowed to brute force my password?"

    Why is someone being allowed 30 bits of attempts to break my, say, facebook password? At 10 seconds an attempt that should take forever (1 in gazillion)

    Let's say I put my password manager database on dropbox. Now somehow, someone gets that database (very unlikely, say 1 in 100000), now there is something they can brute force (1 in 1). I would have been better off using bad passwords.