So I ran across this article and it was just “wow” about how some people manage their passwords. Now I’ve seen the stickies under the keyboard (or worse, on the monitor), and I even remember a network admin I worked for a LONG time ago who knew what someone’s password was by the month (ABCXY where ABC was the person’s initials and XY was the 2 digit month). But it seems really bad when you need to carry them around on a cheat sheet in your badge sleeve.
But the reality is that this isn’t the user’s fault. We tell them to choose secure passwords, but then we don’t implement things like Single Sign-on to allow them to have one strong password for all the stuff on the network. We force them to choose different passwords (and I’ve been in places where the complexity requirements are even the same in all the systems), and then say you need to remember them all. It’s no wonder people choose weak passwords or write them down.
As I had mentioned in my last post, what we really need to get to is a universal authenticator. The idea would be something stronger than a password but also something the user could use over and over in different systems to provide identity, to finally move beyond the password.
I have to admit, I love the line (oft-repeated for many different things) that passwords are the worst authentication system in the world, except for all the other ones. If we want to move to stronger authentication, we need to provide something that is simple, universal, supports existing systems and most importantly, simple.