Getting Lost in Passwords

Let’s agree authentication has been a problem for a long time, even before the modern era. Especially after the internet became an ordinary part of our daily lives, we realized that authentication has a vital role. 

If you are infosec, you might be familiar with the three authentication factors. For those not, let me explain them briefly:

  1. Something you have

    Fingerprint etc.

  2. Something you know: Password , Pin Code, Your first pet’s name etc.
  3. Something you are

    Something you have may be an ID Card

    Something you have may be an ID Card

Nowadays, everyone is familiar with biometric access controls using fingerprints. However, it is an easy-to-use way for many people, and passwords are still in use. You know the scenario, even washing your hand may prevent you from logging in via fingerprint to your cell phone. So for most of the cases, passwords or pin codes or anything related to something you know is there to save your life 🙂

“Don’t use birthday in your password. Don’t use your name in your password. Don’t use your phone number in your password …” You all hear these sentences right! Or you may be telling these kinds of things to the people since you are probably into infosec(otherwise, why does any ordinary person bother to read my boring blog post, right? 🙂 )

Let’s back to the topic. “Those were the good old days we were using passwords, and now we don’t need passwords. The passwordless era has begun.” Well, ask the person who said that how many passwords he/she keeps in mind?

Accept the truth, we lost in passwords!

Policies are our map to secure the future. At least, we hope so. Did you see any place without a password policy? Well, I didn’t see. What are the general password policies?

  • Don’t use the same password that you use somewhere else! (Heyyyy, come on, I have 21123123123 accounts, devices, credit cards, door locks, and so on…)
  • Use a complex password. It should contain at least 1 uppercase, 1 number, and 1 special character. And It should be longer than 8 characters…. bla bla bla… (Ok, dude! My password was “password” so now I will use “Password1.”)
  • You can’t use your previous three passwords.
  • Change your password every XX days. (Aaarghhh, the Human brain may be precious, but It can’t hold everything and replace that easily!!)

Why do we have such policies?

Major policies suggested so. Bill Burr, who wrote the password policies part of the NIST document in 2003, suggested most of those unusable rules. Let me remember, In 2003, I had about 500 passwords. Maybeeeee, I could remember that. Maybe he wasn’t suggesting those rules for “”(I don’t know that does it exist 🙂 ). However, as the security of major corporates increase, attackers find new ways to exploit them. One of them is credential stuffing. They get your password from “” and log in to your account in a major firm. So they can use attacks that require authentication. Of course, it is not limited to that single attack vector. Anyway, let’s back to the topic. Bill Burr expressed himself to Wall Street Journal after a long time.

NIST changed their policies. But I think our IT world can’t adapt to the new changes.

Policies are the first line of defense. Forget about all the fancy security products. Forget about zero trust, defense-in-depth, etc. A proper is policy is essential for all companies.

Whoever is gonna write your policy, support them, always be in the process, discuss with them. Do not copy and paste a well-known policy. It may not be suitable for your corporate culture.

Last sentence to the security handlers. Do not force a policy that you can not obey!


P.S. don’t hesitate to discuss your ideas.