Passwords really are awful. I could write an entire post about what an awful concept the password is to base our entire security paradigm on. Yet, still they persist, in the face of constant and public evidence that they don’t really work.
They are particularly flawed because they are just not designed for people to use – our brains are simply not set up to remember a unique, complex, non-linguistic key for every system we need secure and private access to.
Interestingly, preparing to criticise how awful passwords are in front of an audience led me to look into the origin of the computer password – most evidence suggests that the first computer passwords were used by users to access MIT’s Compatible Time-Sharing System at some point during the 1960s. As this Wired article recounts, they didn’t even secure CTSS very well. One creative user, looking to exceed his 4 hour time allotment, simply printed out everyone’s passwords.
Sadly, despite the early evidence that they did indeed suck, passwords are everywhere. If you’re a system administrator, please consider how you can implement multi-factor authentication and an identity management tool for your users – we use OneLogin for Identity Management and 2FA. You can even extend this as a perk to your staff for their own safety online.
For personal users, I’m a huge fan of Google’s implementation of mobile phone based two-factor authentication, 2-step Verification. If you use web based email, check with your provider whether they have a similar system (the last time I looked, both Microsoft and Yahoo had similar concepts, but I found Google’s the most usable).
I would also recommend that users favour using social sign in wherever possible – use a strong password that you change relatively frequently (at least every 3 months or so) on Google, Twitter or Facebook. If you are given a choice when registering with a new website, use your social credentials.
For other applications or sites, I strongly recommend Dashlane (or another password manager) to generate and incredibly strong passwords and look after them for you safely.
And if you don’t do any of those things, just follow XKCD’s great advice. Set your password to “correct horse battery staple”.