Opinion: Passwords as a concept are completely broken
Posted
by Greg Low
on SQL Blog
See other posts from SQL Blog
or by Greg Low
Published on Wed, 22 Aug 2012 07:02:00 GMT
Indexed on
2012/08/27
21:50 UTC
Read the original article
Hit count: 244
One thing you get to do as you get older, or have been around the industry for a long time, is to pontificate. My pet topic today is passwords. I think that they are, as a concept, now completely broken and have been for a long time.
We tell users:
1. Pick something really complex
2. Don't write it down
3. Change it regularly
4. Use a different password for each site, and often each role that you hold in each site
5. Deal with the fact that we apply different rules for passwords on each site
etc, etc.
Is this even humanly possible? I don't think it is. Yet we blame the users when "they" get it wrong. How can they be getting it wrong when we design a system that requires super-human ability to comply. (These guys are potential exceptions: http://www.worldmemorychampionships.com/)
We are the ones that are getting it wrong and it's long overdue that we, as an industry, need to apply our minds to fixing it, instead of assuming that users should just deal with it.
© SQL Blog or respective owner