In two recent stories about authentication and security, much hoopla was made about the lack of password security. In Dan Farber's blog about a 2004 Identity Management Survey, EDS and IAPP concluded it was really the humans that were at fault for the lack of cybersecurity. In another blog, a Microsoft MVP proposed that windows users should start using entire phrases for their password which is referred to as a "passphrase". Along with the fact that passwords are simply the weakest form of authentication to begin with, blaming humans for their insufficiencies or demanding that humans start using passphrases is like complaining that your 2 year old doesn't know how to feed herself. To truly understand what it is to build a secure authentication scheme, the following assumptions must be made about people.
- We're not good at memorizing long random strings of characters called passwords
- We're even worse at remembering multiple random passwords
- We don't like to change our passwords when they were already so hard to remember in the first place
- We like simple passwords
- If you force us to memorize multiple complex passwords and you force us to change them often, then we always have our trusty old sticky notes hanging off the side of our monitors.