reasons why I hate passwords, part 1 of many
Wednesday, September 1st, 2010There are a lot of reasons to hate passwords as an authentication mechanism – the fact that users hate them, easy to guess/brute force, overhead involved in maintaining the system when credentials, are forgotten/lost, overhead due to locked out users, over reliance on a single factor of authentication, etc, etc. All of it comes down though to one central theme: using passwords put the responsibility for security on the users and not the security folk, and this is a huge mistake. Users are not trained security professionals, and they can’t be expected to be. It is simply unreasonable to expect users to create unique strong passwords for everything they access, remember them, not write them down, and never forget them. They have other things to do, and security is just not one of them. I don’t want my employees to be the primary line of defense for IT systems I’m responsible – I want qualified security personnel. If you use passwords for authentication, then that’s essentially what you’re doing. This is the root cause of all the other problems with passwords.
