February 11, 2013, 11:25 AM — It's hard to imagine an idea more inane than passwords. That we protect many of the most important aspects of our lives with little more than a short string of text is an extreme absurdity.
These collections of--admit it--eight characters are the gateways to everything from our bank accounts and medical records to our family photos to the most sensitive thoughts we've ever let slip via keyboard. To say merely that I loathe passwords would be to lump them with myriad other things in this world that deserve of a good loathing--whereas passwords deserve their own very special throne of infamy.
And the worst part of it all? There isn't a single, viable alternative.
If you haven't figured it out by now, I hate passwords. Their only redeeming value, from my perspective as a security professional, is that our reliance on them guarantees my children a decent college education.
I don't hate just the existence of passwords, or their faulty peculiarities (which I'm about to detail); I detest the fact that so much, of such grave importance, depends for its protection on a capitalized name (probably of a cat, dog, or lizard), a number (probably the last two digits of your year of birth or favorite athlete's jersey), and a concluding exclamation point. Never mind our personal accounts: These little strings are embedded throughout society's critical infrastructure. It wouldn't shock me at all to learn that the nuclear launch codes are stored on the President's computer, just waiting for someone to enter "BoTheDog2008!"--if not, as Dr. Strangelove anticipated, "PreserveOurEssences*1964."
What's so bad about passwords? Well, to start with, any decent password is either nearly impossible to remember or too long to deal with.
Take the "industry standard" recommendations of at least eight characters, with at least one uppercase letter, one lowercase letter, one number, and one symbol. But don't use a common name--oh, never that!--nor the names of anyone you've ever met or have been related to in the past 50 years. And don't be so stupid as to substitute a 3 for an E, or a 0 for an O, since we're told that all the attack tools can figure that out. Instead, pick something random, with no relation to you, add numbers and symbols, and then remember it for a mere 90 days before you're forced to change it to something else with no relation to any other password ever used in that system. (They check for those sorts of things.)