What are Some Alternatives to Passwords?

http://www.flickr.com/photos/brenda-starr/3466560105/in/set-72157617806022838/This morning, I got yet another message from my work login system: "Your password will be expiring in 7 days. Customers are required to change their passwords at least once every 180 days."

Hmm. Already? It seems like it's only been 180 days since... oh right. But there's more! The new password requirements must meet three of the following four criteria:

1. Must contain english uppercase letter
2. Must contain english lowercase letter
3. Must contain a Westernized Arabic numeral (0-9, etc.)
4. Must contain a special character (e.g. punctuation mark)

It also can't be any of the last 5 passwords I've selected before. Really? A password that I used 2 years ago isn't secure now? I wrote a letter to the administrators:

I'll get right to the point: longer and more onerous passwords are not more secure if I have to write them down or store them somewhere. Over the last 8 years or so, the password policies have become progressively anti-user to ever-increasing levels of absurdity. More characters, upper and lowercase letters, non-dictionary words, even MORE characters, and now I have to punctuate? It's not an essay, it's a password. I understand that faster processors and increased computing power make it theoretically easier for a machine to break my code, but many professors on campus that I know keep an unlocked, unhidden rolodex full of passwords because of requirements like this. I know that you're trying to protect us from hackers, and I appreciate that. But consider that our brains do not follow Moore's law to keep in step with increased processing power, and at some point you will need to rethink your strategy.

Sure I can store the passwords in some kind of utility program designed for that purpose. But then don't I need another password for that system? And aren't I at the mercy of whatever encryption scheme that system uses? And isn't that a far more desirable target for hackers and identity thieves? What worries me is that, at some future point, my university might consider doing what banks have done, which is to implement stupid security questions to verify my identity. You know what I'm talking about: "What was your first pet's name? What's the name of your high school?" It's the kind of stuff that appears on the average Facebook account, and can be gleaned more easily than a moderately well-crafted password.

My question to you today is this: What is a secure alternative to passwords of ever-increasing complexity (and ever-declining usability)?

9 comments:

sarah said...

Hey good points there. I usa a passowrd generater but I too keep themin a password protected thing. no a seprate drive that i unhook whenI don't need it.

Andy said...

I agree that passwords are getting ever-increasingly absurd with their requirements. Some sites have instilled an MFA (multi-factor authentication) system, which will combine password, key question, some form of CAPTCHA (or RE-CAPTCHA) *I know, major accessibility issues* and a site-only identity avatar. This is usually found on financial institution sites.

The alternative: no passwords? Perhaps requiring an identity on some sites is more than should be needed to interact with the information. With anonymous, crow-sourcing contributions, the hive-mentality might actually be strengthened by not having identities - hence, no passwords. Perhaps? I'm simply postulating.

Look at http://postsecret.blogspot.com/ and tell me that it would be improved with identities - I think not.

Knife said...

This is a great resource to get really great random passwords.

https://www.grc.com/passwords.htm

As far as I know to date they have used the best mathematical theory to develop a password generator that will never repeat a password.

Jillian said...

I'm all for easy to use security measures that use a central identity server (like OpenID). The problem is actually implementing a service like that. One almost needs the government to issue a virtual ID that one can use on sites, but then there are still too many points of compromise. An example just happened this morning when two people in Corvallis allowed their twitter accounts to be "fished", by a site pretending to be twitter. This could have been prevented if everyone had a common knowledge of how the authentication system works, and how it behaves in different situations.

Anything that someone thinks is secure, isn't. As long as there have been locks, there been people bypassing them. It the same with authentication systems, it just a matter of time. I would hope that we could just move to a cooperative trust based model. It would be impossible to do that with most network topologies, especially since the networks are owned by private organizations whose privacy policies, though designed to protect the end user, end up keeping the public away from easily seeking remedy or relief from a perpetrator of online crime.

I suppose the legal aspects of tracking down people on the internet have not kept up with technology. This has left people completely unable to do anything but find a bigger, more durable lock every time something happens. If you really want to not have to put up so many passwords, work for making the world wide legal system more able to address international computer crimes and work for a more responsible internet. The alternative is to keep all your work on paper, lock things up in vaults and use the security methods that banks use to keep on hand cash on hand.

The Real Steve said...

Wow, great comments all! I was afraid this post was too negative and was going to delete it--and then I come back to find four comments already (I think that's a record for my humble blog).

lycan 762 said...

You have some great point, and I agree with you completely. I'm going through this at work, and honestly it's a big joke the IT guys like to play on the users there. I say why not use biometrics. easy to use, and oh you can't forget your fingerprint or other metrics.

Internet business at home automated system said...

Want more time with parents and children with family? Can operate as long as the trivial time
Welcome to learn a simple understanding of free market
http://sn.im/vemma_usa
Thank you for your time reading, do not give up the chance to even know, know no loss to you!

M. Daniyal Iqbal said...

Good Work! Dragon Ball, Dragon Ball z and Dragon ball GT Remastered Seasons Episode Saga Watch At http://www.livedragonballz.weebly.com

M. Daniyal Iqbal said...

SEO Stand For Search Engine Optimization. it most important to Traffic.
Get Free Seo Button and Traffic
Google Bot Visit Button
Yahoo Bot Visit Button
Msn Bot Visit Button
Page Rank
Google Indicator
SEO Monitor
Hits Counter