Passwords are fine. The way we handle them cause the major leaks we're seeing.
For the record, I've had viruses and have been hacked in the past, but it never did any significant damage. Accounts are separated (unlike the writer of this article's), different services on my server are isolated as much as possible, I use a number of password levels, etc. The hacks were due to carelessness, something that can always happen accidentally. What should not occur is that you're completely fried when one account or one technology fails, like the writer of this article was (his twitter got hacked, all Apple devices were wiped).
What I think should happen is an improvement in terms of how we store password (for starters, don't write them down and put them next to your pc), how we enter passwords (keylogger vs. password manager hacked problem), how passwords are transferred, how passwords are handled on the server, and how we can do password-equivalent actions. By password-equivalent actions I mean anything that bypasses the need for the password, such as password resets.
When these things are improved, passwords are still perfectly fine in 2012. For high-risk systems such as banks you surely might want to use two-factor authentication, but generally a password should be fine - or at least an option for those who think they can keep it safe.
This comment reflects a lack of understanding of how non-IT folks deal with passwords. As the number of services we consume on the web have exponentially increased, the difficulty in remembering all those passwords have led the majority of us in keeping 2 or 3 passwords for the whole lot- leading to what the author of the Wired article was guilty for.
That's not stupid, that's just how folks who have other stuff to worry about in their lives, do with a technology they hardly understand. Security frameworks even for banking systems primarily depend on passwords and little else. It's similar to "getting past the gatekeeper to the fort, and then having access to the Armory, Queens Chamber and the Royal Safe". Access should not be granted because you could recite 10 characters in the right order. It should be granted after having fully understood the context of your attempt, the history of the account and the account holder, and doing KBA (knowledge based auth) commensurate with the damage that could happen if the wrong person accessed that account.
Passwords should die a horrible death. They are a mere fallacy. An illusion of security.
> This comment reflects a lack of understanding of how non-IT folks deal with passwords.
If that is so relevant, we should also kill online (and offline) banking, selling used cars and insurances etc. ... Because clueless people will get owned and scammed everywhere.
What the article neglects is pointing out the total failure of Amazon, AT&T and Apple to protect their customers. It's complete nonsense to allow identity theft on the basis of information that is easily obtainable (credit card and social security numbers - they've been exposed hundreds of times and are no secrets). Class action suits might fix that in the long run, but at least don't blame passwords when they weren't the weakest link.
Yes! This is the problem, most people are non-techies (believe it or not) and have one password: 123456. Passwords are a slight inconvenience to them and that is why we have to design for the weakest link. The publicly available databases of passwords makes them irrelevant for the vast majority of people.[2]
We are using the same method of authorization that was going on 1,000 years ago. "Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password."[2]
This method has no context in a world bursting at the seams with sharing, connection and relevance. Who are you, where did you come from, who is with you, what is your purpose and how did you get here?
It should be contextual like: What is the speed of a swallow? (African or European?)[3]
"Passwords should die a horrible death. They are a mere fallacy. An illusion of security."
Wrong. Passwords have worked well for decades. They are, by far, the best balance between convenience and security. Service providers need to do a better job of taking into account other factors (IP addresses, cookies, recovery techniques) to mitigate breaches.
"Passwords are here to stay. They provide reasonable security."
Words.
Since the premise of the article (and the person to which you've replied) is that your statement is false, you're going to need to provide more than the above to refute it.
I agree with your core points: Passwords are not enough for accounts that need to be secure.
But one thing that a lot of this glosses over is that different accounts need different levels of protection. I really want things like my bank account to offer stronger protection than a password. On the other hand for things like my hackernews account and my dragongoserver account they are probably plenty and its not worth additional inconvenience to have more.
It would be like saying your average bike chains are dead because they can be defeated by bolt cutters. Bike chains are plenty of protection for an average bicycle, but I want something more protecting a safe deposit box.
> that's just how folks who have other stuff to worry about in their lives, do with a technology they hardly understand
If they have 'other stuff' why they spend so much time posting about memes, or TV shows or other meaningless stuff?
When I was in high school only nerds would know what's a hard drive, or what's an email address. Now everyone seems to know something about computers, everyone has emails and twitters and other things (even if they don't know what a MFM encoding is).
The same can be true for password security.
Honestly, computer security is important, and therefore should NEVER be dismissed with the 'other stuff to worry' hand-wave. If someone doesn't know about it, they should learn.
If passwords are to be changed for a better technology, nothing changes about my point: people should learn to use it correctly, whatever that is.
> What I think should happen is an improvement in terms of how we store password (for starters, don't write them down and put them next to your pc),
Actually, given today's attack vectors, this would be an improvement. Remote attackers have greater and greater ability to compromise an account, but if the "key" is physically hidden away then it becomes an unreachable needle in a the massive haystack that is our physical world.
(I'm speaking theoretically, of course, this does nothing to protect the user from the kind of attacks that are most common: phishing and social engineering)
When the password is a stickie next to your computer, then the most imminent risk is that the janitor or a coworker will filch from you. Then have your password be something you put on a sticky save for a memorable number that you prepend to it (but not something too guessable, like your birthday). The chances that this acquaintance who goes snooping around your physical cubicle is going to also run a brute force crack is pretty slim...because such a person will likely have an easier way to violate your privacy/thieve from you.
Saying that online viruses can be solved if everyone practices better password management is like saying that offline viruses can be solved if everyone practices better hygiene management.
It's a great idea in theory, but the execution is the trick.
For the record, I've had viruses and have been hacked in the past, but it never did any significant damage. Accounts are separated (unlike the writer of this article's), different services on my server are isolated as much as possible, I use a number of password levels, etc. The hacks were due to carelessness, something that can always happen accidentally. What should not occur is that you're completely fried when one account or one technology fails, like the writer of this article was (his twitter got hacked, all Apple devices were wiped).
What I think should happen is an improvement in terms of how we store password (for starters, don't write them down and put them next to your pc), how we enter passwords (keylogger vs. password manager hacked problem), how passwords are transferred, how passwords are handled on the server, and how we can do password-equivalent actions. By password-equivalent actions I mean anything that bypasses the need for the password, such as password resets.
When these things are improved, passwords are still perfectly fine in 2012. For high-risk systems such as banks you surely might want to use two-factor authentication, but generally a password should be fine - or at least an option for those who think they can keep it safe.