Password rules suck (or worse). But what is the solution? Two-factor (or multi-factor) authentication. In other words, combining something you know (your password) with something you have (phone, 2FA key, biometrics, etc.). A common way a lot of sites do this is sending a text message to your phone with a one-time key. This, however, is not that secure (but better than nothing). A better way is to use an application like Google Authenticator, or a hardware security key like the YubiKey. I have been using the Google Authenticator application, but there is one big problem with it, that I’ll get to later.
I have been a big proponent of using 2FA for a long time now, and will use it whenever it is available. Combine that with strong, randomly generated passwords and a password manager that also uses 2FA (I use RoboForm, because that’s what we use at work), your chances of getting credentials compromised is much smaller. And, even if it does happen, by using randomly generated passwords – rather than reusing the same password on multiple sites – means that even if an account of yours gets compromised, it won’t affect more than one account.
2FA also lessens the need for password rotation (requiring users to change their passwords every 30 days, for example), which isn’t a very good form of security, anyway. It encourages bad practices – particularly if a password manager cannot be used (logging on to your computer, for example). What tends to happen there is users will find a way to make it less painful for themselves, like incrementing a number at the end of a base password or using a rotating list of passwords that is long enough to beat the reuse requirements. This is one reason NIST no longer recommends it, and Microsoft has removed password expiration policies. If other security measures are used, there’s simply no longer any reason to require password changes.
So, what’s the problem with Google Authenticator? Simply put, there is no good way to back up all your codes and transfer them to a new phone, if you didn’t securely save the key used to set up an account. There are cumbersome hacks for doing this, but those require a fair amount of up-front planning. If you lose your phone and you haven’t planned ahead, it’s going to be painful to get them all set up again. I know this, because I was having problems with my phone so last night I reset it. I didn’t think about all the stuff I had set up in Google Authenticator until it was too late, and I was partially locked out of my GoDaddy account (and who knows what other sites). I could get in with an SMS code, but I when I went to the page to change my 2FA setup, that was blank. I couldn’t use customer support, because they required a code from Google Authenticator. The SMS code wouldn’t work for that. I found this article this morning which would have provided another way to get around this (email), but thankfully whatever the issue was last night that was giving me a blank page, it was resolved this morning and I was able to update my account. I don’t yet know what other sites I’ll have issues with because of my lack of proper planning.
What’s the alternative? Microsoft also provides an authentication app, Microsoft Authenticator, and they recently added backup and recovery, so that you can move your accounts to a new install. I don’t think it is enabled by default, though, so make sure you set that up. As I set up my accounts again, I’m using Microsoft’s application instead.
So, make sure you never, ever reuse passwords and instead use strong, randomly generated passwords (I am generating 25-character passwords whenever a site allows for it), a password manager, and 2FA. Also make sure you can recover from the loss of that application, whether it is a backup method for getting codes (SMS or a list of backup codes), or using an application that backs up and restores those accounts. Preferably both. This is something you really want to get right, so the more ways to securely recover from this, the better.