Maksim Kabakou - Fotolia

Security Think Tank: Complex passwords provide a false sense of security

In the light of the fact that complex passwords are not as strong as most people think, and that most password strategies inevitably lead to people following them blindly, what actually makes a good password and when is a password alone not enough?

While having a complex password is a good idea, you’re only protecting yourselves against dictionary lists or brute force cracking attempts to access your account.

Complex passwords offer zero protection should a site’s password database become compromised. Your password immediately becomes public knowledge and criminals add it to password lists that they can use when trying to use your credentials elsewhere. This is being done on a large scale, with highly efficient scripts running on pay-as-you-go cloud services. Your password can be tried out on thousands of popular websites, and millions of attempts can be made within minutes.

According to breach alerting site haveibeenpwned.com, just over five billion accounts have been hacked to date, and passwords put into the enemy domain as a consequence. The scale of password breaches is huge. When a popular site is hacked, hundreds of millions of accounts are typically compromised.

Passwords alone are simply no longer good enough, and complex password strategies do little other than give people false assurance that their accounts are safe.

“Complex password strategies do little other than give people false assurance that their accounts are safe”
Tim Holman, 2-sec

If your favourite website supports an extra level of authentication, such as using your mobile phone and sending codes to you via text messages (SMS), then use it. If it does not, then you should seriously consider not using that website or service, as it is very likely the owners have not thought through security in other areas too.

You must take steps to ensure that you are not using passwords alone on any critical site you use. With the advent of cloud services, this would include accounting software, customer relationship management (CRM) systems, file sharing services and social media. Take the time to write down every site you’ve used and take a systematic approach to removing accounts you no longer need. Then enable multifactor authentication (MFA) wherever possible.

The likes of Facebook are not going to enable it all on your behalf – the onus is on you. Take action, now.

Read more from Computer Weekly’s Security Think Tank about password security

Read more on Hackers and cybercrime prevention