Aug 14 2008
Not really, but I do have to admit that I’m one of those people who does a certain amount of password re-use. Not a lot, not for anything sensitive, but for some low impact sites, I have used the same password for multiple sites. They’ve been relatively strong passwords, but the fact that I re-used them definitely reduces their effectiveness and puts me at risk of having multiple resources compromised. Yes, even security professionals get lazy when creating passwords.
I can’t think of anyone who actually likes passwords and the memorization they require. Amrit Williams actively hates passwords and uses them as a way of expressing his man crush on Chris Hoff. The problem is, he’s not really offering up a good alternative. Yes, we all know that passwords suck, but what is the alternative?
I have a RSA SecureID token for logging in to my corporate VPN. At Black Hat they included a token for use with Paypal in every souvenier bag. We can use certificates if the site is properly set up and you have someone who can explain to the average user how to enable them. But if you think password resets create a lot of tech support calls, certificates would be even worse in the short run.
We don’t currently have a good alternative to passwords. OpenID has some possibilities, but it runs into the problem of providing one stop compromises for the baddies. Maybe a hardware token combined with OpenID is a solution, but then everyone has to have a hardware token. What other solutions are easily distributed and more secure than passwords? None that I know of.
We’re not going to see the end of passwords any time soon. Too many start ups, too many social media sites, too many Web 5.0 sites are out there being created on a daily basis. And each one requires a password to login. If the security professionals occasionally get lazy and re-use passwords, imagine how bad the average user is about creating unique passwords.