According to reports compiled by SplashData the password ‘123456’ held the top spot for the worst password for 2015, 2016, and 2017. The runner up in the worst password stakes for all three years was ‘password’.
The fact that people are continuing to use the same bad passwords highlights a real issue that our approach to keeping ourselves secure online isn’t working. However, it also suggests that many applications are failing their users in helping them to protect themselves.
A recent blog post by Tomáš Foltýn highlighted a study in which Steven Furnell, a Professor of Information Security at the University of Plymouth, carried out an examination of password practices across a number of major websites. The study indicates that a number of the websites were still allowing users to use the password ‘password’.
So, if some of the big name websites aren’t helping users to create strong passwords, then it probably should be no surprise that we continually see the same bad passwords being used from year to year.
What should applications be doing to help users?
Some of you may read the above and fill with dread about the thought of having to remember a horrendously complex password for every site you visit. This is a really valid point. It can sometimes be difficult to provide extra levels of security without making things more complicated, and invariably if you do then people will find ways around them. For example, if every password entry field required users to use a mixture of uppercase, lower case, and numerals in a password then we may well see next years worst password being ‘Passw0rd’.
However, based on the worst passwords we aren’t even at that level yet and it’s about doing more than the bare minimum. I think there are a number of very simple things applications can do to encourage users to create strong passwords without making things more complicated.
Firstly, a minimum length should exist but applications should allow passwords to be as reasonably long as a user wants them to be. Insisting passwords have to be less than a set number of characters long only makes it difficult for users. If a user wants to have a 64-character password then why not let them?
Secondly, applications should allow, but not force, users to use a combination of characters, numerals, and special characters (including spaces). Again, if a user wants to get creative with their password then you should allow it rather than confine them to a strict set of rules.
Thirdly, think out of the box. Some applications have incorporated the ability to use emojis within passwords. If it works for your users then why wouldn’t you allow them to use an emoji?
Fourthly, your application should prevent users from using passwords such as their usernames, email addresses, name, or the commonly known bad passwords that are published each year. By doing this you are protecting the user from bad password practice without being too rigid in determining what a user can use.
Finally, your application should facilitate password managers. Whichever side of the fence you sit on using password managers, the fact is many people do use them. If your application is one that doesn’t support them then it’s probably more likely the user will set a bad password for your application as that’s the one they will need to remember. Similarly, it’s unreasonable to expect a user to create a strong password that they then have to type in. If a user wishes to paste their password that they have copied from another location you should let them.
