Opinion: Passwords as a concept are completely broken

One thing you get to do as you get older, or have been around the industry for a long time, is to pontificate. My pet topic today is passwords. I think that they are, as a concept, now completely broken and have been for a long time.

We tell users:

1. Pick something really complex

2. Don't write it down

3. Change it regularly

4. Use a different password for each site, and often each role that you hold in each site

5. Deal with the fact that we apply different rules for passwords on each site

etc, etc.

Is this even humanly possible? I don't think it is. Yet we blame the users when "they" get it wrong. How can they be getting it wrong when we design a system that requires super-human ability to comply. (These guys are potential exceptions: http://www.worldmemorychampionships.com/)

We are the ones that are getting it wrong and it's long overdue that we, as an industry, need to apply our minds to fixing it, instead of assuming that users should just deal with it.

8 thoughts on “Opinion: Passwords as a concept are completely broken”

  1. Greg,
    Agreed. As a halfway house I use Lastpass; its not ideal (not least because it has a glaring single point of failure) but, for me, its the best option right now.

  2. Aye, and it's only getting worse, with many sites now demanding about 3 different passwords, letters from ordinal positions within them, and magnifying the problem with dates of birth and mothers maiden names (which of course I am just going to plug into some poxy webforum).
    Key fobs to generate randomish numbers, one of which you need a pin to input first… HSBC needs: 1xmembership number (about 11 digits), 1xmemorable code (over 8 iirc) AND 1xPin to generate an rsa type # to tap in.  
    Almost always there to protect what… a forum login??

  3. I couldn't tell you what most of my passwords are. I, like Jamie, use something to remember and generate them for me. I like the combination of KeePass and Dropbox.

  4. I use Keepass 2 professionally and personaly
    Free and it works great
    Whole DBA team uses a shared version.

  5. Yep really true and we need another solution for this. I'm getting crazy with all of the different passwords for sites.
    Yet another problem are the devices. Some sites reset the passwords (in case you forgot) and the result of this is, that i have to re-enter the password on every device.

Leave a Reply

Your email address will not be published. Required fields are marked *