The Internet Password Paradox
Now we're creating passwords computers can guess and we can't remember
Passwords are annoying. Often you have to think of something that meets ridiculous safety requirements. It can't be so obscure that you forget it, but it also has to be hard enough for anyone to guess. Then you have to file it away along with the thirty-five other passwords you created for your favorite sites. And the painful irony of it all is that the system, which has more and more obscure passcode standards these days, has trained people to create passwords that computers can easily guess and that people just can't remember, as today's XKCD cartoon demonstrates.
The password system is broken. It's annoying for users and easy for hackers. And instead of crafting the perfect unbreakable code, people are forgoing security altogether.We're dealing with a password paradox. People either create guessable passwords, opening themselves up to hacking, or passwords become so difficult that nobody can remember them--and even then they're still hackable.
Even with fears of privacy and hacking, people still pick hackable codes, according to analyses reported by The New York Times's Ashley Vance. "One out of five Web users still decides to leave the digital equivalent of a key under the doormat: they choose a simple, easily guessed password like 'abc123,' 'iloveyou' or even 'password' to protect their data." With so many passwords to remember, it's just easier to pick something super-simple, Jeff Moss, who founded a popular hacking conference and is now on the Homeland Security Advisory Council, told Vance. "Nowadays, we have to keep probably 10 times as many passwords in our head as we did 10 years ago.... Voice mail passwords, A.T.M. PINs and Internet passwords--it’s so hard to keep track of."
Some sites have attempted to combat this password creation laziness by forcing people to be a little more creative, to mix letters with numbers, or pick non-dictionary words, but sites don't want things to get too difficult for people, explains Vance. "Still, researchers say, social networking and entertainment Web sites often try to make life simpler for their users and are reluctant to put too many controls in place." And even when organizations do force people to create a less hack-friendly code, it puts an unnecessary burden on people. And ironically, as University College of London researchers found, it causes people to create passwords that are too hard for humans to remember or easy for computers to guess. "When the requirements of the policy exceed users' capabilities, they are forced to develop more complex--or, alternatively, less secure--coping techniques." The researchers suggest we totally change the password system,
Rather than a one-size-fits-all approach, we argue for a flexible password policy tailored to mitigate the risks users actually face. This flexibility needs to extend beyond technical issues, to allow for the differing security needs of different work groups. Alternatively, perhaps the cloud will provide the motivation to finally move to a different authentication mechanism
You hear that? Maybe the cloud will save us all!