Admitting passwords are broken is a step forward
Everything you have ever been told about passwords is wrong. Apart from this: passwords are broken and need to be replaced.
Picture the scene: you want to log in to an app on your phone but it is demanding an update, so off to the app store you troop. But wait a minute, you can’t remember the app store password. The farrago that follows would be bad enough but you have that sinking feeling that even if your could reset this thing and download the update, the app itself is going to ask for a password, isn’t it? And I can’t remember that one, either.
Securing our devices, or more to the point our data, is more important than ever. From financial transactions to personal communications, electronic devices today are as much a window into our lives, or even souls, as they are into the world. But passwords are not the way to do it.
Not only are they a flawed technique, but we have made passwords unbearable in a desperate bid to make them at least marginally secure. Rules for changing a lost one are so complex – a password must be a certain length, include a combination of upper and lower case characters, a mixture of numbers and letters, at least one ‘special character’, must not be the same as a previous password, and be authenticated via an e-mailed code – that more than once I have simply decided that I don’t need to read my e-mail or book that flight today.
It seems that I am not the only one. The National Institute of Standards and Technology (Nist), a US government agency, has scrapped some of its rules around password composition. In its new password guidelines, Nist, which sets security standards that are followed globally, suggests we should stop demanding complex mixtures of character types and periodic password changes.
The rationale is straightforward: the arcane rules grafted onto software in order to ensure users don’t use ‘password’ as their password add so much complexity that they have, at best, become a usability nightmare. At worst they actually encourage insecure practices, such as using the same password across different logins.
Rules that might have been tolerable when we had to remember one, or perhaps two, passwords are untenable when we have an infinite number of logins (many of which should be scrapped as they amount to little more than data grabs) and everyone knows it.
Nist, for its part, is not suggesting going back to using our own names as passwords. It still recommends users are forced to create lengthy passwords, for example. However, complex passwords have resulted in little more than a false sense of security as users have attempted to make them memorable and, in the process, made them easier to guess.
More broadly, though, the fact that recommendations are changing is recognition that while passwords have a place, the reliance on them as the first, main, or only form of user authentication is a mistake. The first step in solving any problem is admitting that there is one.
Subscribers 0
Fans 0
Followers 0
Followers