One thing information security is hopefully learning is that passwords are a bad idea. @adamshostack tweeted this
Lesson of Gawker isnt "change your PW" its "get a PW manager" use unique PWs per site
There is a rich history to learn from
* Bob Blakley - Within this decade (circa 2006)
Static passwords are an unacceptable hazard, good alternatives exist, we should get rid of static passwords in favor of those alternatives, and we should do it fast.
* Steve Bellovin - Report of the IAB Security Architecture Workshop, 1998
One security mechanism was deemed to be unacceptable: plaintext passwords. That is, no protocol that relies on passwords sent over unencrypted channels is acceptable.
* Bill Gates (circa 2004) - Passwords are dead
* Nelson - can we stop using passwords now?
Passwords are an inhumane form of account security. They are bad user design. It is time to stop using passwords for most sites.
Why are they such a bad idea? I think the biggest issue is safety, the passwords and the data that they protect are logically bundled together in the same network, host and application zones. This has the effect of shipping dynamite and detonators together
One bump in the truck and it all goes blam. There is no margin of safety in this system, much less ability to signal failure or put the user in control. This is an area where information security should lead - instead of accepting status quo and making firewalls the number one budget priority. Fixing the dynamite + detonator problem must be job one for anyone with security in their title (infosec - I am talking to you).
I remain hopeful that Information cards will emerge to help us make massive improvements that are needed to address this current state situation.
Our feet are standing in your gates, O Jerusalem.
Posted by: Retro Air Jordans | December 17, 2010 at 01:50 AM