So, there is some tension between the complexity of passwords and the tendency of users to make it easier to remember complex passwords. Since this is really just a numbers game--we are trying to make passwords change in a time frame which makes it unfeasible to guess--suppose we make passwords change more frequently but eliminate the features which make them more difficult to remember?
But now we are fiddling with passwords again and not really adding any more security.
We could add a second factor of authentication and make the whole system functionally impossible to crack. Two factor authentication means that besides requiring something the user (or cracker) knows, she would have to either supply something she possesses or a biometric authentication mechanism. This is, in my opinion, a better way to allocate scarce security resources than making users create complex passwords (or not complex, if they are clever enough to put Fluffy!1 as their password) than the false sense of security complex passwords give.
No comments:
Post a Comment
Comments are moderated. It may take some time for your comment to appear should it be approved. Comments which we judge to be inflammatory or purely rhetorical without advancing the discussion may be rejected. Stay on topic and address the information presented, not the person who wrote the post or the comment.