One of the biggest headaches in the IT world is password management. There are myriad rules to follow from different sites and organisations, each with their own rules and requirements from using uppercase letters, having a minimum number of characters, or using words that don’t appear in dictionaries. It’s become such a nuisance to everyone that most people tend to use the same complex password on every account they own, and rarely change it.
Don’t blame yourself if you do. Password complexity requirements are complete bollocks.
In 2004, when the National Institute of Standards and Technology (NIST) dictated web standards, one of the new mid-level managers at NIST’s Information Technology Laboratory (ITL) was given the task of drawing up a document that detailed password complexity requirements for the modern era. Bill Burr (not the comedian) drew up the 74-page document drawing from his experience in the United States Army as an I.T. support officer stationed in Vietnam, as well as a single 20 year-old study on password complexity that was accurate for its time period (back when computers were barely powerful enough to run Pong).
The document he created was largely thumb-sucked. Burr admitted in a 2017 interview with the Wall Street Journal that he regrets pretty much everything about his work.
NIST Special Publication 800-63. Appendix A, the document that Burr authored, was adopted by NIST and spread to US government agencies and companies around the world. It became the bible for IT system administrators to follow, and went on to influence software design and security requirements for the next 14 years.
But the paper was as weak as the passwords it suggested.
Everyone is familiar with the following rules when creating a new password. We’ve all gone through the headache of making a secure password that:
- Has a minimum password length of 8 or more characters, including lowercase and uppercase alphabetic characters, numbers and symbols
- Is a password that is unique and that you don’t use anywhere else
- That avoids the use of character repetition, keyboard patterns, dictionary words, letter or number sequences, usernames, relative or pet names, romantic links, and biographical information
Eventually you end up with a horrendous combination of letters and numbers that require sheer muscle memory to type in. Some people’s short and long term memories aren’t geared to remember these complex passwords and instead choose simpler ones. Seeing as humans are creatures of habit and we’re all plugged into some weird stream of consciousness, we also seem to all pick the same kind of weak passwords every time. Those end up on the now-famous “Most Popular Passwords” list that gets passed around each year.
“P@ssw0rd” and “123456” are both still in the top ten almost a decade later.
So how do you keep up with this brain-mushing churn of passwords that you may have to create and remember every three months? How do you end up choosing unique and complex passwords for each account you own? The answer is you don’t: according to a study by Microsoft Researchers in 2006, human beings are physically incapable of choosing strong, unique passwords for different accounts AND remembering them.
There’s an upper limit to the strength of the passwords we can generate when we need to meet the absurd requirements set out in Burr’s recommendations. If we’re forced to remember our passwords, we tend to the weaker side of pasword complexity. If we write them down, our passwords are pseudorandom – it’s still possible for a computer to guess them.
Which, by the way, is one tip that we do offer for clients concerned about security: Make up your strong passwords for critical accounts, and then write them down and store them in a safe place. A hacker from Russia isn’t going to waste time on guessing a psuedorandom password for more than a few months.
If you’re still in doubt that we are creatures of habit capable of choosing really weak passwords, watch the TEDTalk embedded above by Nick Berry, a former rocket scientist who now analyses big datasets for companies like Facebook and Twitter. Show of hands, who has changed their bank card pin code in the last five years? I can’t see you, but I know there’s dozens of you. DOZENS.
So if you can’t generate truly random passwords, and you can’t possibly remember them all, what option is there? A password manager. Bitwarden is something I’ve been testing on a few computers set up for our customers, and it’s proven quite capable.
Bitwarden is an open-source password manager developed by a community of software developers who wanted an open-source alternative to suites like DashLane, 1Password, and LastPass. It’s free, as in beer and as in free software. Bitwarden will create a file with all your passwords saved in plain text, and it then encrypts it with an extremely overkill encryption algorithm that only you know the password to unlock. It’s almost the last password you need to remember.
My master password is 21 characters long, is easy for me to remember, and doesn’t feature any special characters or capital letters. For me personally, this relieves me of the stress of remembering at least a dozen different passwords for all the services I make use of.
That’s essentially password managers in a nutshell. When you visit a site that you have a password saved for it is automatically inserted for you. You never enter the password yourself once it is saved in your vault, which protects you from things like keyloggers and screen recorders (which shouldn’t be a concern if you have a good antivirus solution).
Most password managers of this type aren’t open source, and many are not as feature-full if they are open source. LastPass and DashLane both charge for their services for anyone who wants to use it for more than just their personal web surfing, and both make it difficult to export their encrypted vaults to other password managers, keeping you locked into their service.
Bitwarden, meanwhile, is fully featured and only charges for users who want to use it in an organisation, where sharing access to certain users who need specific credentials might be required.
You can even run the service yourself, on your own server if required for legal reasons, and there are comprehensive guides by the Bitwarden team on how to roll your own Bitwarden server.
The fees are attractive too, if you need the additional features. $1 per month supports up to five users in a family. $10 per year for a single user gets you all the enterprise features. Pricing for businesses and teams within an organisation is also far lower than competing solutions.
But it’s not just the pricing that makes Bitwarden attractive, it is the approach to free software that separates it from the lot. For one, Bitwarden’s password vault structure isn’t locked behind corporate policies or proprietary company secrets. It’s always possible to export it to another service.
Where other solutions are created by companies driven to profit, Bitwarden is more ethical than closed-source solutions. For companies that want software that they can manipulate to suit their needs, or for NPOs and NGOs that need a solution that matches their criteria of ethically sourced services that don’t charge the earth because of an organisation’s status, Bitwarden is in a unique position to offer all these things to their customers.
So to all our customers reading this blog post, if you’re in the market for a password manager that is free, cheap to run, supports multiple platforms and clients, and doesn’t charge much to unlock all the corporate features if you just need it for your small business, Bitwarden seems to be the best option out there.