Thursday, 18 October 2012

Password security is a broken concept

We are now at a point where our best password security recommendations are incompatible with human psychology. You are recommended to use long, complicated passwords that are different for every service online, to never write them down anywhere, and to change them regularly. So, at a minimum, an internet citizen will have three passwords: email, banking and Facebook. A "long" password is considered 12 characters or more. Its strength depends on it including mixed case, numbers and letters, plus punctuation (and those in random positions, not just at the end - "Password12!" is just as bad as "password"). All of us are, therefore, expected to memorise a minimum of 36 totally-random characters every month. It's just not going to happen. Password security is really broken.

The answer from many quarters about this problem is that human beings need to change to get better at password security. That is the opposite of the right way to think about this. We made the computers. We made the internet. We made the websites that demand our passwords. If they are not going to change to give us proper security, why did we spend so much effort creating general-purpose programmable machines and a world wide network to connect them? They are made to be changeable. On a broad scale, humans are always humans. We have limited, unreliable memories and limited patience. The machines need to change to make security easier for humans.

Mokalus of Borg

PS - Most articles on password security end up recommending a password database.
PPS - Which is fine as long as you're certain you can keep it secure too.

No comments: