Skip to content →

I Hate Passwords

In this day and age, its extremely irritating to me that so much of what we do online is tied to passwords. Not only are they an extremely bad form of authentication (short strings of text, even if encrypted, are pretty easy to break), the websites which require them force you to add numbers and symbols and bizarre capitalization – making them all the harder to memorize (see XKCD comic below), and oftentimes force you to change them on a regular basis. Then, to recover the password when you inevitably forget it, websites impose extremely poorly thought out questions like “what is your mother’s middle name” or “where did you grow up” to prove that you are who you say you are – when a quick search online is likely to dig up that sort of information.

password_strength

The ideal solution would be something that doesn’t send passwords over the wire (it can still use passwords to authenticate, but at the bare minimum you shouldn’t be sending short encrypted strings), can use multiple factors (generally, its MUCH harder to crack two or more forms of authentication simultaneously than just one), supports easier and painless means of authentication (like biometrics or entering a numeric PIN on your specific smartphone), and can support and trigger multiple tiers of authentication (i.e., if you’re wiring $10 versus wiring $10,000, you should be forced to authenticate at different levels for those two transactions).

Luckily, a company called Nok Nok Labs (of which the firm I work for is a proud investor) is working with an industry consortium of some of the biggest names online (including Google and PayPal) and in hardware (including Lenovo and Infineon) called the Fido Alliance to build just such a system and get it supported by as many websites and devices as possible.

However, the nirvana of the password-less internet that Nok Nok is trying to build will take time to realize – so in the meantime, what I’ll settle for is asking websites to allow users to specify their challenge response questions. That way the user can specify a question who’s answer is trivially simple for them to remember (i.e. an inside joke, a childhood secret, etc.) but extremely difficult for someone else to uncover. A few websites do manage to do this – and to each of you, I thank you – but the simple truth is many don’t and that leaves me both unsecure and annoyed.

Published in Blog

3 Comments

  1. peter peter

    Actually, allowing the user to choose a secret question can be bad. This is probably the weakest link in Google Account security. Some users choose really stupid questions that can easily be Googled or guessed, and in some cases it makes a strong password useless. This is usually the way celebs get hijacked.

  2. Ben Ben

    That’s a good point — although the usual backup questions are pretty dumb as well… perhaps make it opt-in so that if you pick a bad password at least you are (a) opt-ing in manually and (b) did it despite having alternative questions which were potentially not as dumb

  3. Rowan Rowan

    What’s wrong with the Google Authenticator token type password verification? The more important question is why does Google have better verification than my bank (or any other Australian bank)

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: