Password Trash

We know passwords aren't great and that people choose crappy short ones that are easily remembered given half the chance. The solution to which seems to be to ask for a least one number, one upper case char, one symbol and a minimum of 8 chars...

However, you don't want to use the same password everywhere as the majority of sites aren't trustworthy* so it's foolish to use the same password on all of them. The result is an ever mounting litter of passwords that you can't remember and either end up writing them down (which likely violates terms of service and makes you liable in the event of abuse) or rely on "forgotten password mechanisms" to log in as and when needed (the main frustration here being turnaround-time and the need to come up with a new bloody password each time).

Yet using 3 or more words as a passphrase is more secure than a short forgettable password and would make a website a damn sight easier to use - you still can't use the same password everywhere though. It's about time we started making minimumpasswordlength 16 characters and dismiss the crypto garbage rules that don't help anyone.

Facebook, Google and the like would have you use their Open ID Connect services - this way they effectively own your online identity - and, if you do use them, the multi-factor authentication (MTA) options are well worth adopting. Personally I don't want these guys to be in charge of my online identity though (and most organisations won't be either) so whilst it's ok to provide the option you can't force it on people.

We need to continue to support passwords but we need to stop with these daft counterproductive restrictions.
* Ok, none of them are but some I trust more than others. I certainly won't trust some hokey website just because the developers provide the illusion of security by making my life more complicated than is necessary.

No comments:

Post a Comment

Voyaging dwarves riding phantom eagles

It's been said before... the only two difficult things in computing are naming things and cache invalidation... or naming things and som...