Password theft and misuse is so widespread, when only a few million are stolen in one cyber heist, it doesn't even make the news. Today, it has to surpass -- or claim to surpass -- a billion, I guess.
Articles in the wake of such scintillating criminal exploits tend to advocate the same bad remedies. If I see someone recommend a long and complex password again, I think I'm going to puke.
[ Also on InfoWorld: Passwords aren't the problem -- we are. | Watch out for 11 signs you've been hacked -- and learn how to fight back. Find out how in InfoWorld's PDF special report. | Keep up on the latest threats and solutions for your systems with InfoWorld's Security Central newsletter. ]
Ignore, for the moment, that I recommended the same many years ago. Times have changed.
How password hacks happen today
Password hacking has been with us as long as we've had passwords. For the most part, the chosen means were password guessing or cracking -- that is, converting from some other intermediate form to the plaintext equivalent. But methods have advanced over time.
Sure, you still have human hackers (or malware) that attempt to guess people's passwords, sometimes highly successfully. For example, one of the most popular malware programs, Conficker, successfully compromised hundreds of thousands to millions of drive shares using about 100 hard-coded, simple passwords. Password guessing still works -- but it isn't the primary method used today.
These days, most cases of password theft occur in one of two ways: phishing or credential database compromise. Phishing mostly occurs when an email message or website induces the reader to enter legitimate credentials into a faked logon prompt. You'd think everyone in the world could spot phishing attacks by now, but according to this report, they continue at record levels. Certainly many of the successful APT (advanced persistent threat) attacks begin as spear phishing. Social media sites and rogue applications allow phishers to be as successful as ever.
But the most common way that hackers successfully steal passwords (or their usable intermediate forms, such as hashes) is through theft of credential databases. They either break into a website or into a private directory space and download stored passwords/hashes. These two types of attacks account for nearly all password theft attacks today. Nearly every other method is noise. The days of human attackers pretending to be Matthew Broderick in "WarGames" are long gone.
Which defenses are most successful against credential theft? Well, using overly long and complex passwords is not one of them. Attackers will merely steal your overly long and complex password and say it was nice doing business with you.
This is not to say that using a nonsimple password is bad. It can only help. But if you choose a password that can't be immediately guessed in the first few hundred guesses, you're usually fairly well protected.
My password of "keylargo" is going to provide as much defense against the largest threats as "Key$Largo14$!." Yes, longer and more complex passwords will frustrate more password guessers and crackers, but these threat risks are not measurable noise in most environments.
Am I saying users don't need overly long and complex passwords? Yes, that's exactly what I'm saying.
Now, I know security experts around the world can't wait to explain why I'm wrong. But if most passwords are stolen directly from what the end-user enters or from the compromised credential database, how is having a longer or more complex password going to help?
I'll go further toward tightening my own noose. Most of the time, using "more secure" authentication protocols with stronger hashes and algorithms will gain you very little. Switching from DES to Bcrypt gains you little. Switching from password hashes to Kerberos tickets gains you very little. That's because today's password attackers aren't attacking weaknesses in the protocols. Using a stronger authentication protocol doesn't get you much.
How do I know? Because the vast majority of companies use these stronger protocols today, but it hasn't stopped billions of passwords from being stolen this year alone. I haven't heard a single security pro lament: "If only we had used Bcrypt or Kerberos, we would not have had our credential databases compromised." You won't hear that ever. It's an old solution for a problem that hackers no longer care about.