Thursday, April 27, 2006

Passwords - stating the obvious

Greg Keizer wrote an article in InternetWeek that reported on a survey findings about password use. It appears that only 1 in 7 business users bother to create different passwords for each web site that requires authentication. I don't think we needed a survey to confirm this. As the numbers of sites a user frequents rises, all with different rules on good password choice, a lowest common denominator condition occurs. Without Single Sign-on capabilities users are naturally going to gravitate to a limited selection of passwords. It is only natural. Good password policy encourages us to NOT write down our passwords. They therefore have to be easy to remember. Then web sites typically apply good password protection by locking out the account after a few bad user and password attempts. The password therefore has to be easily remembered from a limited selection, otherwise we are going to suffer account lock-outs and have new passwords emailed (in the clear). At some point the industry has to either institute more sophisticated authentication, such as biometric recognition, or create a common, trusted authentication intermediary. My concern is that the latter is too charged with partisan self-interest by major players to become a reality.

No comments:

Post a Comment