For a long time, passwords have troubled me conceptually. I now believe that, as a concept, they are beyond broken. As an industry, we need to do better.
I might well need to do with more identities, passwords, multi-factor authentication options, etc. than the average consumer but I know it's beyond me to get this right, at least in the way that vendors, financial institutions, and source providers expect me to.
Let's look at at the "simple" requirements that we now ask people to comply with:
- Use a complex password
- Don't write it down or record it anywhere
- Change it regularly
- Use different passwords for every site that you deal with
Is that even humanly possible?
Is requiring someone to do something that almost no human could do, even legal?
I'd love to see it tested.
Then let's compound this with completely different complexity rules for almost every site. You can't have any sort of mental pattern of how to do this either. Some sites won't allow special characters, some won't allow more than a small number of characters, some want only alphabetic characters, some want numbers only, some want alphabetic characters and numbers mixed, some want upper and lower case combinations, etc. etc. etc.
And yes, I hear some say, everyone just needs to use a password manager. But while they can help, are they all really safe? What do you know about who wrote them? Is putting all your credentials into a single spot really a brilliant idea?
Many of the ridiculous rules that we confront users with on a daily basis are justified on the basis of "security", but how does a user challenge the validity of the requirements?
For example, forced password expiry has been shown time and again (by detailed research) to actual reduce security overall, yet how many organizations still force people to do this.
We need to do better
As an industry, we should be ashamed of what we've created.