We've published entire features dedicated to passwords, containing reams of advice that unnamed technophobes and tech tyros in your family will never reasonably follow, because the advice itself is completely unreasonable. We layer hacks upon hacks as best we can to stabilize a foundation incapable of supporting a house of cards.
The devil we know
So what are our alternatives? Dropbox, Google, and others now offer options to send one-time passwords as text messages to your phone, which you then combine with your main password. This two-factor authentication is, again, great for the technically proficient and for sites that we deem important, but can you image trying to force the method down the throats of millions of users--a large percentage of whom are on AT&T, which loves to play "guess when the text will arrive"?
Of course, we could always provide physical tokens (as some banks and PayPal now do) that either plug into a device--whoops, wrong device drivers!--or display a small, changing code on an LCD screen. Good luck, then, handling the support calls that ensue after gnomes steal the tokens from the junk drawer where the user confidently tossed the dongles. The idea of being able to forgo keys for my car, and yet having to carry around a retractable key chain full of tokens, just so I can make an online bank deposit or upload my extensive Amazon review of a $30 cast iron Dutch oven, drives me to the brink of despair.
No, when you consider consumer services at the scale we're talking about, tokens are out. The planet doesn't have enough digital locksmiths driving around in panel vans to meet the demands for help by people who'll want to get back into BillPay at the end of every month.
What about biometrics? Fingerprint readers are cheap, Android phones include facial recognition for unlocking, and the resolution of FaceTime HD cameras on Macs is high enough to support iris scans. Those are great options--until the fingerprint reader gets dirty, or someone makes a high-resolution digital mask from a photo of you (yes, that actually works). Heck, even a photocopy of a fingerprint can fool all but the most expensive scanners.
And no matter how good your first layer of authentication is, an attacker can probably circumvent them and reset the relevant accounts simply by guessing the name of your middle-school mascot.
Here today, here tomorrow