Stop absurd passwords: let's rethink web security.
Current Standards
Are the current criteria for passwords really effective? These rules have emerged over time to counter increasing and varied attacks, relying on recommendations from cybersecurity experts. However, they often reflect a dated approach that does not always consider user behavior. You know, those famous rules imposed by most online services: mandatory uppercase letters, numbers, special characters, and at least 8 characters. These constraints, far from enhancing security, push us to adopt dangerous habits. Let’s see why these standards don’t work and how to replace them with more secure solutions.Is it bad to have a complicated password?
We reuse it everywhere
Faced with these constraints, what do we all instinctively do? We recycle our passwords. A recent study shows that nearly 60% of users reuse the same password for multiple services, thus increasing risks in case of compromise. Because let’s be honest, how can we remember dozens of incomprehensible combinations? The problem is that this habit creates a huge vulnerability: if a single service is compromised, all our accounts are at risk.We base our password on personal aspects
In trying to create something complex yet memorable, we often end up using personal elements: birth date, pet's name, etc. These choices can be easily guessed by an attacker.How to change that?
Let’s talk about brute force
To fully grasp the importance of a long password, one must understand how a brute force attack works. This technique, while effective, is just one of many threats. Dictionary attacks or phishing, which exploit lists of common words or manipulation techniques, also pose significant dangers. This technique involves testing all possible combinations until the correct one is found. The shorter a password is, the quicker it can be cracked. In contrast, a long phrase of 20 characters or more exponentially increases the time needed to achieve this.Example:- Short password: "P@ss123"
- Long phrase: "TheBlackCatIsInTheGardenWithItsPawInTheAir"
Longer = more secure?
Not necessarily, if the phrase is predictable: "MyPassword123" remains easy to guess. It’s important to create unique and unlikely phrases.And the OTPs then?
One-time passwords (OTPs), especially via SMS, are often presented as a secure alternative. They are popular because they provide an additional layer of protection in case the main password is compromised. However, the mobile network is not infallible, and techniques like SIM swapping can bypass this protection. However, the mobile network is not infallible, and techniques like SIM swapping can bypass this protection.Change your password regularly
A good practice is to periodically renew your passwords to reduce risks associated with prolonged compromise.A little word for my dev friends
Rethink complexity
Stop enforcing arbitrary rules on special characters and focus on the overall quality of the password: its length, uniqueness, and difficulty to guess.Integrate change reminders
Implement systems that remind users to regularly change their passwords while encouraging them to use password managers.For a more secure web
We must collectively evolve towards security practices that are both effective and accessible. For example, a password management system integrated into a browser or mobile app would allow users to easily create long and unique passwords while storing them securely.- As users, let’s make the effort to adapt our passwords to these new principles.
- As developers, let’s integrate systems that meet real security needs without unnecessarily complicating users' lives.
