People need to remember passwords for many different services. I count at least 50 passwords I personally use on a monthly basis including phone, ATM and online.
This makes it tempting for people to,
- reuse a few passwords across sites/channels,
- use a common pattern for passwords (family birth dates for example),
- rely on password memory memory systems (in web browsers or centrally through services such as Microsoft Live), and/or
- write and store passwords in easy-to-access places.
A five second Google search threw up a large number of articles decrying the weakness of passwords as a security method.
One I found interesting was How I'd hack your weak passwords, which provides details on the mistakes people make when creating passwords, and points out that when people use the same password across multiple sites the password is only as good as the weakest site's security.
So what's the alternative?
Given that passwords are not a strong security measure as they rely on the user to select secure passwords, the only real alternatives are to,
- Use more physiologically unique approaches to security (retina scans, fingerprints or brain waves),
- Employ physical tokens (random number widgets, cards or similar devices),
- Use innovative alternatives to passwords (such as join the dots)
- Make it clearer to people what is at risk and educate and support them in creating stronger passwords.
Given that most people are unwilling to spend extra money on a PC attachment to allow biometrics scans (though, like seat belts in cars or fire alarms in houses, they could be mandated by government and rolled out with new PCs over time) and issuing physical tokens is a costly exercise (and prone to physical theft), the most viable short-term option is to improve how we communicate with our customers.
I think that we could do a better job of educating people on how to create and manage large numbers of secure passwords, and addressing this area would by itself save significant costs in terms of fraud prevention and personal loss - not to mention password reset calls to call centres.
In the longer-run, I see a strong case for mandating biometric scanners on PCs.
What do you think?