Opinion: Passwords as a concept are completely broken

Posted by Greg Low on SQL Blog See other posts from SQL Blog or by Greg Low
Published on Wed, 22 Aug 2012 07:02:00 GMT Indexed on 2012/08/27 21:50 UTC
Read the original article Hit count: 244

Filed under:

One thing you get to do as you get older, or have been around the industry for a long time, is to pontificate. My pet topic today is passwords. I think that they are, as a concept, now completely broken and have been for a long time.

We tell users:

1. Pick something really complex

2. Don't write it down

3. Change it regularly

4. Use a different password for each site, and often each role that you hold in each site

5. Deal with the fact that we apply different rules for passwords on each site

etc, etc.

Is this even humanly possible? I don't think it is. Yet we blame the users when "they" get it wrong. How can they be getting it wrong when we design a system that requires super-human ability to comply. (These guys are potential exceptions: http://www.worldmemorychampionships.com/)

We are the ones that are getting it wrong and it's long overdue that we, as an industry, need to apply our minds to fixing it, instead of assuming that users should just deal with it.

© SQL Blog or respective owner