The problem of weak passwords is of the users, the fault, of the companies

As in every end of the year, Nordpass (the password manager from the creators of NordVPN) published its list with the most common passwords of 2021, with nothing erotic result: the top 10 is made up of sequences of consecutive digits, six ones or words like “qwerty” or [redoble de tambores]… “password”. In the case of Spain, local words such as “barcelona”, “Spain”, “alejandro”, “cristina” or [redoble de tambores y golpe al platillo]… “I love you”.

Serve this joke to introduce the multiple idems that generate this type of list year after year. “You have to be dumb to use a password like that” is the average comment these posts elicit in the worst cases. In the best ones, they turn into advice: “Please use strong passwords, not like the ones on this list.” In both cases, despite the good final intention, we only partially aimed.

Time to look at companies

If we convey to friends and relatives who are not tech-savvy, who we know use weak passwords and sometimes even tend to forget them, that the ideal is to make them as complicated as possible using a manager that remembers them for us, we will be doing our part. Now, it wouldn’t hurt either. start holding accountable companies that tolerate these passwords, which are the ones with the upper hand.

Twitter, for example, requires at least eight characters, nothing more than that. Just like Spotify, which simply adds as a security layer the veto to choose some that are too simple, like “12345678”. Netflix asks between 6 and 60 characters and that accents are not included. LinkedIn settles for 6 characters.

Other companies raise the security requirements. Steam requires a minimum of eight characters that include at least one letter and one number. Same Apple, but adding at least one uppercase letter as well as one lowercase letter, nor using the same character three times in a row, just like Adobe.

These companies have to handle a question of balance: set a minimum security threshold that coexists with avoiding hostile feelings towards the user for demanding too much complexity. With 16 alphanumeric characters and several symbols we would be safer than with “pepito96”, but in services with millions of users, there would be a risk of complicating experiences, especially for those who do not use a password manager.

Maybe a middle ground is upload the security requirements for new passwords and display some recommendations or tricks on the screen in question to make handling them easier. Whether it’s using a manager or more social tricks, like mnemonic rules that facilitate memorization but do not fall into weaknesses.

Based on how long it takes a cracker to crack a password by brute force depending on its length and type, a good password includes numbers, uppercase, lowercase and symbols and is at least 12 or 13 characters long. This amount of time is the maximum based on the combinations available, so with any luck it can be quite a bit lower.

Brute force is not only effective, but there is specific hardware for it for many years, and while most passwords have had their level of security unchanged for some time, the processing power of these terminals has been growing. It is better to take care of our health, and above all, it is better to demand that the companies that ask us for a registry also take care of those who are not aware of the danger of using a “tequiero” or a “123456” lightly.