| Passwords are not dead. Simple single factor authentication using short passwords is dead. That's not a new thing either and they're not going away either. Biometric implants are cool but it's a long ways away (and I'm pretty sure I don't want anything inserted into my arm...). Ditto for security rings and other gadgets. Yes they work but the general populace is not going to be using them for a long while. I'd love to see some stats on two-factor usage at large installation like Gmail, preferably plotted against whether the user works in tech (or uses a VPN with two-factor token for work). I'm guessing the market penetration for it is pretty low for the average person. If that's the case then expecting lots of people to use something new/else (which involves getting a new physical device) is unreasonable. Even with the "something you have" category (two-factor TOTP device, key ring, etc) it still makes sense to have a "something you know" category too. It covers the case of losing my phone/keyringer (or having my bio-implanted arm chopped off though I'd assume at that point they could just use a $5 rubber hose to get the in memory one). Since passwords (or more accurately passphrases) aren't going away we at least should use them properly. My suggestions for how folks should handle them varies based on the tech literacy of the person. For tech savvy folks: - Use a password manager (ex: KeePassX) - Long passphrase to unlock the password manager[1] - Individual random passwords per site using using max length the site allows - Use multiple email accounts for different functions (friends, shopping, finance, etc) - Use two-factor auth everywhere that allows it For the rest of folks: - Use a passphrase for your email passwords - Use a site that lets you use long passwords (Google does, Outlook doesn't[2]) - Use a separate email account for "important" accounts (ex: finance and everything else) - Don't login to anything from other people's computers (net cafe, shared computer in a hotel, etc) - For the really important ones (ex: your bank) use a very long complicated password and write it down[3] - Learn more about security! I make it a point to educate friends/family about tech security whenever I can. Two-factor auth is a good example of something that is a lot easier to grasp when you've got someone you know explaining it's virtues to you ("So a bad guy needs your phone in his hand to login? That's cool!"). In the end, like all security, a lot of it comes down to personal responsibility and hyper vigilance. [1]: https://xkcd.com/936/ [2]: http://nakedsecurity.sophos.com/2012/08/02/maximum-password-... [3]: Yes write it down. People are bad at remembering long random strings but pretty good at not losing small bits of paper. It's the same thing as keeping a key in your pocket (or a spare key in your wallet). Plus it's much easier to explain to them that the paper is the key to unlock the account. |
Passwords may have insecurity - but they also permit anonymity. I think people haven't even started thinking that far yet.