I often think, “Wow, if I had a dollar for every time I’ve helped someone reset their password, I could pay all my bills” — then I remember, I do have a dollar for every time I’ve helped someone reset their password! It’s paying my bills, but it’s a fundamental weakness in the information age. How long can we pretend that we are identifiable by a username or an email address and a password?
There have to be a hundred better ways to identify someone that can’t be hacked by running scrambled combinations through a graphics card? Actually, I’m really hoping the passwords have at least been encrypted by the storing server, in a format that doesn’t have a security hole [ahem, NSA — all those backdoors you wrote/required are either discovered or on their way to being discovered, thank you very little].
The sheer number of sites that have been hacked and the billions of passwords exposed make me seriously wonder why we continue to rely on a device that’s literally thousands of years old. Shibboleth may have been good enough for the Old Testament, but it’s a spectacular failure in the 2010s, when computing power has become so strong that all previous flaws have been exposed and exploited.
The easy answer is that it’s too late, at this point, to go back — there are billions of devices out there, running on username and password combinations, that are incompatible with whatever might replace that, and reprogramming those devices will be impractical, if not impossible. True, it will be difficult to go back and change the old stuff. But we can’t we learn from our mistakes, cut our losses, and start moving forward now?
The sad answer is, because that’s the way we’ve always done it. But guess what? That’s not good enough!
So while we wait for the next billion-password hack, remember — longer passwords beat complex passwords, so use an easy phrase like “ThisIsMyAmazonPassword2017” for Amazon, “ThisIsMyNetflixPassword2017” for Netflix, and so on. And don’t write it down! Especially not on the back of your keyboard! Passwords, while we have to use them, should be easy enough to remember! If you can’t, you’re using the wrong password.
Actually, if you have an Apple password, you can’t use the above examples, because they contain the word “password” which is a brain-dead rule if I’ve ever heard one. Apple, smarten up. You can’t ban the word password or the number 1999. It just makes things harder for your users.
As for the technicians who are still requiring username and password combos, please stop! Before the Russians hack your databases, too.