We are taught to create the strongest passwords that we can think of–no sequential letters or characters with at least six to eight characters in length, and that password must be changed every so often, perhaps every couple of months. However, according to the latest security research, this myth may in fact be making users more vulnerable to attacks since it disregards more important and serious vulnerabilities on the Internet, including the spread of malware.
Researchers are saying that the idea of a strong password is giving us a false sense of security against more potent threats, including malwares such as keyloggers, which can essentially log your keystrokes and send your password out to unauthorized websites. And these keyloggers have nothing to do with a strong or weak password–once the virus or malware gains access to your computer, weak and strong passwords are equally targeted.
Microsoft Research researcher Cormac Herley says that “keeping a keylogger off your machine is about a trillion times more important than the strength of any one of your passwords.”
According to Herley, it isn’t users who need to be educated about computer security, but the system administrators with their password rules. By forcing users to create complex and lengthy passwords every few months and not allowing any repeats, users tend to write or note their passwords in other places such as a journal, notebook, or an easily accessible Word document on a computer. That means those passwords will in turn be less secure and can give unauthorized access to a system if someone else discovers or stumbles on a password. According to Microsoft Research, “when the voices that advocate for usability are absent or weak, security measures become needlessly restrictive.”
In fact, commerce and banking sites often do not have these “strong” password requirements, and that’s the place where users would assume that there would be a need for strong passwords. Amazon.com, Paypal.com, and Fidelity Investments all allow shorter, and by definition weaker, passwords. But those passwords are more user friendly and aid in usability without compromising on security. Commerce sites can block against brute-force attacks by locking a user out if unsuccessful successive login attampts are made, or requiring a PIN or other security measure.