Troy Hunt on Passwords
Troy Hunt has a good essay about why passwords are here to stay, despite all their security problems:
This is why passwords aren’t going anywhere in the foreseeable future and why [insert thing here] isn’t going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can’t access their accounts is going to change that. Nor will the technical prowess of [insert thing here] change the discussion because it simply can’t compete with passwords on that one metric organisations are so focused on: usability. Sure, there’ll be edge cases and certainly there remain scenarios where higher-friction can be justified due to either the nature of the asset being protected or the demographic of the audience, but you’re not about to see your everyday e-commerce, social media or even banking sites changing en mass.
He rightly points out that biometric authentication systems—like Apple’s Face ID and fingerprint authentication—augment passwords rather than replace them. And I want to add that good two-factor systems, like Duo, also augment passwords rather than replace them.
Hacker News thread.
Clive Robinson • November 5, 2018 11:06 AM
Yes passwords are here to stay, and with it “low entropy” that can all to frequently lead to security issues.
However many fail to consider the changes in the way the legal system works these days which is why passwords are going to hang around for a very long time. When you talk about “multifactor authentication” the “something you have” and “something you are” factors are taken away from you by the law. That is you have lost control of them legaly thus in that respect they are now useless privacy measures from an intrusive State, which they are all becoming these days.
This only leaves you the “something you know” factor under your control. The law can not take it away from you it can only coerce you where it is reasonable to do so. That is imprisonment by “contempt of court” or direct legislation.
The thing is that as normall the legislators are well behind the curve on this because of the “reasonable to do so” requirment, and that all jurisdictions actually have limits (even the US can not make it’s definition of the law stand in other places such ad Russia, China, and a whole list of places.
As I’ve explained before there are other things you know other than passwords that can be leveraged so that it is nolonger “reasonable”.
Thus passwords and “fast time outs” are just the first line of defence to protecting your privacy.