For a long time, passwords have troubled me conceptually. I now believe that, as a concept, they are beyond broken. As an industry, we need to do better.
I might well need to do with more identities, passwords, multi-factor authentication options, etc. than the average consumer but I know it's beyond me to get this right, at least in the way that vendors, financial institutions, and source providers expect me to.
Let's look at at the "simple" requirements that we now ask people to comply with:
- Use a complex password
- Don't write it down or record it anywhere
- Change it regularly
- Use different passwords for every site that you deal with
Is that even humanly possible?
Is requiring someone to do something that almost no human could do, even legal?
I'd love to see it tested.
Then let's compound this with completely different complexity rules for almost every site. You can't have any sort of mental pattern of how to do this either. Some sites won't allow special characters, some won't allow more than a small number of characters, some want only alphabetic characters, some want numbers only, some want alphabetic characters and numbers mixed, some want upper and lower case combinations, etc. etc. etc.
Password Managers
And yes, I hear some say, everyone just needs to use a password manager. But while they can help, are they all really safe? What do you know about who wrote them? Is putting all your credentials into a single spot really a brilliant idea?
Password Rules
Many of the ridiculous rules that we confront users with on a daily basis are justified on the basis of "security", but how does a user challenge the validity of the requirements?
For example, forced password expiry has been shown time and again (by detailed research) to actual reduce security overall, yet how many organizations still force people to do this.
We need to do better
As an industry, we should be ashamed of what we've created.
Whilst there are a lot of bad practises out there (that's not something limited to IAM or security in general), I don't see much here to say passwords are broken – rather that they're hard to use. But many things are hard to use…
I think we've created a set of rules for people to comply with, yet humans can't actually comply with the set of rules, at least not for more than a handful of sites. If they are basically impossible to comply with, rather than just hard, I'd contend they are broken.
Isn't using a Password manager "recording it somewhere"? Using one is violating "the "simple" requirements that we now ask people to comply with"?
Sure wish that I had an answer to this ('cause I'd be beyond rich!!!).
Exactly ! I'm not sure it obeys the letter of the law. Worse, so many sites won't let you paste a password into the password field.