![calendarchangepassword.jpg](https://files.peakd.com/file/peakd-hive/lucabarbera/R80z4ssp-calendar-change-password.jpg)


In the previous posts of this series, it has been described why in general most passwords are insecure, why everybody created insecure passwords for more than 15 years despite their best intentions, and how hackers are quickly cracking these passwords. This article will examine some more modern bad password habits, and explain why - despite all evidence - they are still popular among IT departments and enforced on users.

##### Human-generated passwords are BAD, get over it

It has been explained in detail but it is always overlooked, be it for laziness or excess of confidence, or just plain ignorance: *human-generated passwords are bad because they are predictable*. This happens because they are composed of characters that are not [*independently and identically distributed*](https://en.wikipedia.org/wiki/Independent_and_identically_distributed_random_variables) (IID). 

> A collection of random variables is independent and identically distributed if each random variable has the same probability distribution as the others and all are mutually independent. 

But words are the exact opposite, as they have strict spelling rules which establish a correlation between all characters. Even worse, nature is playing against randomness *just because users are human beings typing on a keyboard*.

[Recent studies](https://arxiv.org/pdf/1604.02287v1.pdf) have demonstrated that, when writing, users seem to prefer certain words depending on the number of letters they feature from the right-hand side of the keyboard. Even randomly chosen letters are not IID, as it's been proven they tend to be towards the center of the keyboard. In short, humans are very bad at generating randomness, and this - must be acknowledged - was exposed by Bill Burr, as he chose this assumption as the starting point of his work when drafting the infamous NIST recommendations.

##### Some "modern" recommendations are also wrong

Once acknowledged that the NIST recommendations are not generating any robust password, some other recent guidelines that are commonly offered shall come under scrutiny:

> "Build random passwords based on initials of a familiar phrase".

That would mean choosing a phrase to have some kind of mnemonic aid, for instance, "*first operate common key externally recognizable*" or "*lorem ipsum dolor sit amet*", then pick each initial to obtain a baseline and apply NIST substitutions (e.g. `f0ck3r` and `L1dS4`).

This method might help to obtain a little more IID collection, but the results still show several shortcomings even by a cursory inspection:

- still too short
- still based on character substitution, which is ineffective
- still very easy to crack for a computer

proving that this method is not better than "scramble words with substitutions" in any way.

##### They force you to change your password every 30 days. They're wrong.

Another timeless classic IT cliché that every office has to endure is the request to periodically change the password. The timeframe may vary between "really paranoid" to "mildly annoying", but sooner or later a pop-up message will appear on the screen to remind you that *your password will expire*. 

It is very unclear why a password - a bundle of bits - should rot and turn bad like sour milk, but there is a historical reason that helps understanding its rationale: after acknowledging that password files can and will be stolen, system administrators craving for security turned their attention at what hackers were doing to attack them, and found out that *cracking password requires time*: if all users changed their password frequently enough, hackers would not be able to break and use them before they turned into digital garbage, and security would be safe again!

Even the infamous NIST guidelines recommended changing passwords regularly, at least every 90 days. This advice ended up baked into many standards that businesses needed to follow.

That however was just another mistake, which caused its fair share of problems.

With time, it's been demonstrated that users who are forced to regularly update passwords will only introduce minimal changes between each iteration: one letter, one number, one special character - whatever meets the minimum requirement set by the IT policy to make the new password accepted by the system. Users are lazy, and this behavior - in hindsight - was entirely predictable. 

This malpractice exposes passwords to inference attacks, making it easier for an attacker to guess the keyword by exploiting similarities between iterations, which results across time in weakening all passwords even if encryption is applied.

And finally, there is the human factor: forcing users to change passwords also makes them more susceptible to being forgotten. 

The downsides of forcing this change on users - a habit which is still very popular despite having been proven detrimental - vastly exceed any potential benefit, especially considering that a determined and well structure attack will break the vast majority of passwords encryption before they get changed anyway. In other words, *a password should only be changed if suspected to be compromised*. 

Despite all that, it is still common practice for many Information Technology departments to enforce a "password change" policy with a timed expiration, which ends up creating a sense of false security while at the same time posing a burden on users and inadvertently setting the premises to have them choose even weaker, less secure passwords.

(to be continued)