Wednesday, March 24, 2010

It's Time to Scrap the Password System

Passwords are out of hand. They are based on an archaic approach that is outdated and no longer manageable or effective. The idea of most password systems is the same as it was when computers were used through a terminal on a desk by one person to access specific applications. The idea is that the user should remember that password and not write it down anywhere.

But times have changed. users now use a variety of devices to access a variety of applications. Many of the applications are on the web. They have numerous passwords to "remember". This writer, for example, has 81 passwords for the applications he uses. Nobody can remember 81 passwords, so they need to be recorded somewhere, automatically creating a security risk. This is not uncommon. People often make use of password management software, but the security of that software is often weak or virtually non-existant.

Also, the passwords are used for multiple sessions, meaning if they are stolen they can be used fraudulently. This is at the core of much of the hacking that goes on.

The answer to this unfortunate dilemma lies in establishing a new password paradigm under which passwords are used only once. So if they are stolen they cannot be used. Since users couldn't remember these passwords either, there needs to be a system that recognizes a user and then hands out a password when needed and then makes it expire after the user logs out. Such systems are possible, and some examples of them are in use, but to make them available across the board requires the involvement of the internet service providers, who would supply the infrastructure to make the system work globally. The time for making this change is long past due. For an interesting take on this issue, see this article.

No comments: