We all know that the basic problem with passwords is that to remember them, we have to associate them with something easy to recall. Of course, that's what makes it relatively easy for hackers to figure out, as was the situation when Sarah Palin's e-mail system was hijacked.
A paper from Cormac Herley, a researcher at Microsoft, goes into detail about why users will never change their passwords regularly and why the entire password approach to security is fundamentally flawed.
There's much truth in what Herley says, but there's also few alternatives.So the question is whether there is a more efficient and effective way to manage user identity.
TriCipher Vice President Vatsal Sonecha contends that the industry needs to move toward a multi-factor authentication approach in which users log into a trusted portal. That portal, which in the case of TriCipher is called myOneLogin, will verify who that user is and vouch for his or her identity whenever they access secure content on a website.
The issue, of course, is that most websites that require passwords do not support tokens and certificates issued by trusted portals. Website owners want a better approach to identifying end users, but they don't seem to want to do anything to achieve that goal.
Fortunately, as a federated cloud computing model emerges, the need for identity management should force the issue. As Sonecha sees it, the whole OAuth process will be a service in the cloud that allows users to seamlessly navigate across federated services.
In the meantime, we may be condemned to muddle through until users simply get fed up with the whole password process or intellectual property theft reaches a level where website owners and service providers finally feel compelled to act.