Passwords and Reality

The recent rash of hacker attacks on Sony websites prompted at least one researcher to conduct a study of the use of passwords by users. What he found was unremarkable - that people are using passwords that are easy to crack. They are re-using passwords on different sites, and they are not using non alphanumeric passwords.

This is understandable. By now it is well known that strong passwords should not be common words, should be at least 8 characters in length and should use non alphanumeric characters. The problem is people want to use passwords they can remember, and they can't remember passwords that are difficult to crack. This is the basic conundrum of password administration. It's why passwords will never work as a security device.

Traditionally, the response of administrators and auditors has been to promote the use of stronger passwords, complete with frequent password changes, which makes it even more difficult to remember them. It just doesn't work.

The answer is to abandon the password system and adopt a biometric system. With biometrics, users don't have to remember anything. And their mode of entry is extremely difficult to duplicate and hack. There already are biometric solutions available, such as fingerprint readers, and more recently face recognition has been introduced. The ongoing rash of hacking attacks, that depend on the use of old fashioned passwords, will continue until passwords are abandoned.