I read Jakob Neilsen’s post on password security, and although he has a point, there are several issues as to why this is a monumentally bad idea.
First, passwords are a fundamentally bad idea for all data risk classifications. Instead of trying to make passwords more usable, how about getting rid of them?
Second, exposing folks’ passwords in a shared environment will expose them in more ways than one. For example, most folks use the same password everywhere. I used to do this when I was 16. Then I migrated in 1989 to having low, medium and high security passwords. Then about five years ago, I migrated to using long random passwords for nearly everything. I do not know my password for my blog. I cut n paste my passwords from a password manager. I’m ashamed to say that I still use the low security password from 1989 from time to time – mostly to recover access to long lost internet sites. So if your social networking site – where you’ve evaluated YOUR risk to be low, well… that user uses the same password EVERYWHERE, including high risk sites such as Internet Banking, for tax, for their insurance login, etc.
Third, malware that currently snaps screens when used with visual keyboards (security theater!) will have a bonus time with this scheme, or any scheme like it (think iPhone where the last character typed remains on the screen for a second or so and then becomes a bullet). However, if you have malware, you have more interesting problems than just clear text passwords.
I am all for killing passwords. They are crap. They are insecure. They are hard to remember. IT Security folks with NO UNDERSTANDING of human nature or how this terrible usability costs the business ask us to change them every 30 days and you can’t have the same password for the last five years and the password must not be a dictionary word and must contain punctuation and numbers and upper and lower case characters. The only people who can do that without ringing the help desk are the tin foil hat people like me who use password managers with long random passwords. I love going to sites with those sort of rules – the passwords are nearly universally on post it notes or written on the cubicle wall or dry erase board. Dumb!
So how do we improve the situation? I strongly believe that for the average user, the browser should take over the credential for the user. A nice auto-generated certificate login managed basically transparently by the browser’s credential manager makes the most sense. This should be able to export to a standard file format that all the browsers agree upon so that users can upgrade their machines, and move amongst them. Obviously, Apple already has MobileMe to help sync those credentials around, and this will help folks like me with more than one computer. If you’re out and about and need to log in remotely, you log in to MobileMe (or similar), and approve the site you want to log on to for (say) 10 minutes from the computer you’re currently on. Then you go to the site you want to go, like Wikipedia or Travelocity with your full strength credential… that will not stay on that machine and will not work after a few minutes.
For value transactions, the use of SMS transaction signing and two factor transaction signing should be mandated where PII, finanical or health data is concerned.
Then we can put passwords out of their misery, and folks never need to remember their passwords ever again. Jakob is right – passwords suck. It’s time for them to die.