THE SQL Server Blog Spot on the Web

Welcome to SQLblog.com - The SQL Server blog spot on the web Sign in | |
in Search

The Bit Bucket (Greg Low): IDisposable

Ramblings of Greg Low (SQL Server MVP, MCM and Microsoft RD) - SQL Down Under

Opinion: Passwords as a concept are completely broken

One thing you get to do as you get older, or have been around the industry for a long time, is to pontificate. My pet topic today is passwords. I think that they are, as a concept, now completely broken and have been for a long time.

We tell users:

1. Pick something really complex

2. Don't write it down

3. Change it regularly

4. Use a different password for each site, and often each role that you hold in each site

5. Deal with the fact that we apply different rules for passwords on each site

etc, etc.

Is this even humanly possible? I don't think it is. Yet we blame the users when "they" get it wrong. How can they be getting it wrong when we design a system that requires super-human ability to comply. (These guys are potential exceptions: http://www.worldmemorychampionships.com/)

We are the ones that are getting it wrong and it's long overdue that we, as an industry, need to apply our minds to fixing it, instead of assuming that users should just deal with it.

Published Wednesday, August 22, 2012 7:02 PM by Greg Low

Comment Notification

If you would like to receive an email when updates are made to this post, please register here

Subscribe to this post's comments using RSS

Comments

 

jamiet said:

Greg,

Agreed. As a halfway house I use Lastpass; its not ideal (not least because it has a glaring single point of failure) but, for me, its the best option right now.

JT

August 22, 2012 4:14 AM
 

Chris Donges said:

OpenID was an attempt to fix the problem.

http://en.wikipedia.org/wiki/OpenID

August 22, 2012 4:32 AM
 

RichB said:

Aye, and it's only getting worse, with many sites now demanding about 3 different passwords, letters from ordinal positions within them, and magnifying the problem with dates of birth and mothers maiden names (which of course I am just going to plug into some poxy webforum).

Key fobs to generate randomish numbers, one of which you need a pin to input first... HSBC needs: 1xmembership number (about 11 digits), 1xmemorable code (over 8 iirc) AND 1xPin to generate an rsa type # to tap in.  

Almost always there to protect what... a forum login??

August 22, 2012 5:51 AM
 

Ben Thul said:

I couldn't tell you what most of my passwords are. I, like Jamie, use something to remember and generate them for me. I like the combination of KeePass and Dropbox.

August 22, 2012 7:17 AM
 

Stephen Mandeville said:

I use Keepass 2 professionally and personaly

Free and it works great

Whole DBA team uses a shared version.

August 22, 2012 8:56 AM
 

snewfie said:

And I forgot to mention That I also use Dropbox to have acces to my passwords from anywhere.

August 22, 2012 9:10 AM
 

@Hennie7863 said:

Yep really true and we need another solution for this. I'm getting crazy with all of the different passwords for sites.

Yet another problem are the devices. Some sites reset the passwords (in case you forgot) and the result of this is, that i have to re-enter the password on every device.

August 24, 2012 9:53 AM
 

Andrew Oliver said:

September 3, 2012 9:01 PM

Leave a Comment

(required) 
(required) 
Submit

This Blog

Syndication

Tags

No tags have been created or used yet.
Powered by Community Server (Commercial Edition), by Telligent Systems
  Privacy Statement