The Trouble with Passwords

Michael Vizard

We all know that the basic problem with passwords is that to remember them, we have to associate them with something easy to recall. Of course, that's what makes it relatively easy for hackers to figure out, as was the situation when Sarah Palin's e-mail system was hijacked.

A paper from Cormac Herley, a researcher at Microsoft, goes into detail about why users will never change their passwords regularly and why the entire password approach to security is fundamentally flawed.

There's much truth in what Herley says, but there's also few alternatives.So the question is whether there is a more efficient and effective way to manage user identity.

TriCipher Vice President Vatsal Sonecha contends that the industry needs to move toward a multi-factor authentication approach in which users log into a trusted portal. That portal, which in the case of TriCipher is called myOneLogin, will verify who that user is and vouch for his or her identity whenever they access secure content on a website.

The issue, of course, is that most websites that require passwords do not support tokens and certificates issued by trusted portals. Website owners want a better approach to identifying end users, but they don't seem to want to do anything to achieve that goal.

Fortunately, as a federated cloud computing model emerges, the need for identity management should force the issue. As Sonecha sees it, the whole OAuth process will be a service in the cloud that allows users to seamlessly navigate across federated services.

In the meantime, we may be condemned to muddle through until users simply get fed up with the whole password process or intellectual property theft reaches a level where website owners and service providers finally feel compelled to act.

Add Comment      Leave a comment on this blog post
Jun 3, 2010 10:39 AM Helen Harper Helen Harper  says:

What about password managers? Like Sticky Password or Lastpass. They all are a great tool for these cases.

Jul 18, 2011 6:49 AM Alex Alex  says:

I use Keepass to store my passwords into an encrypted file, and Dropbox to automatically synchronize the password file to all my computers and phone.

No problem what-so-ever.

Jul 18, 2011 8:47 AM amagic amagic  says:

I second the recommendation for password managers such as 1password, LastPass or KeePass. There's also sites out there like where you can check if your account has been leaked out to the internet by hackers.

Jul 19, 2011 11:42 AM brian brian  says: in response to amagic

Good point...I've been railing against the practice of forcing end users to change their passwords for some time now.  It amounts to a lot of hassle and loss of productivity when you think of all the time put into troubleshooting lost/forgotten passwords, resets, and the like. 

BTW, I think you mean "contend" in the 4th paragraph.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.



Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.