commentary Passwords are no longer that — words that allow passage. Last time I checked, words didn't contain random letters or symbols, but we continually treat passwords like they are still words for one reason: it's convenient. Convenience is the reason why passwords ultimately don't work, and why they'll continue to fail us.
Inconvenience makes people do strange things. Having to wait at traffic lights sees people run across the road, risking life and limb just to get somewhere a few seconds faster. People allow packages to be "hidden" on their doorstop rather than secured at a post office. And people intentionally break the law to instantly download movies or music that they wouldn't mind paying for.
Inconvenience is the reason why no one wants to comply with strict password-complexity policies, or follow a number of so-called best practices.
On paper, complexity policies appear to solve the problem of brute forcing passwords. They ensure that hackers have more combinations of characters that they will need to guess. It's effective if hackers are going through passwords by changing one character at a time, but most hackers don't.
In reality, most people respond to such complexity policies by taking their existing password and modifying it so that it meets the minimum requirement. This means that "password" becomes "Passw0rd!", or even "Passw0rd!Passw0rd!" to meet minimum length requirements.
Hackers are able to use the processing power of computers to run entire dictionaries of words against access systems. Lists of the most common words have even been developed to speed up the process. For that very reason alone, best practice dictates never using words as passwords, but this makes them horribly hard to remember unless some form of mnemonic is used, and even that is susceptible to being obtained through social engineering.
So if passwords aren't words, what are they? Ideally, they're completely random, long, have the largest variety of characters so as to make brute forcing them character by character a painstaking task, and have nothing that could be deducted through social engineering.
But that raises another question. If a password like "nF1HU;.N.YC^N`:HH9]rQt2^" doesn't have anything to do with the user, what is the point of asking them to select a password?
Historically, the reason for allowing users to pick passwords has been convenience. But what that means is that organisations across the globe, whether they realise it or not, have made the decision to trade security for convenience.
That convenience has cost us dearly.
I remember reading in horror (admittedly with a grin on my face at times) after the Sony PlayStation Network (PSN) hacks as people tried the passwords that had been leaked. Twitter abounded with people saying things like, "I just found a PayPal account with $50 in it!" or "Talking to this guy's girlfriend on Facebook. She has no idea". Users were finding out the hard way that using the same password across multiple sites was in some cases literally costing them.
If everyone stopped treating passwords like words and instead like the random, unrelated strings of characters that they're ideally meant to be, we would have an interesting turn of events.
Password uniqueness would be enforced. If your password was stored negligently and exposed on one service, it wouldn't necessarily mean that you were compromised on another. If someone wanted to break into your account, they would be left with no clues as to where to start, with the only option being to brute force their way in. It sounds like an ideal solution.
However, out of convenience, and there's that word again, people are going to have to find ways to store and manage their now unmemorable passwords. Where does this lead us? Passwords on post-it notes, or stored insecurely in browsers, which in some cases do little else than to store them in plaintext. We've done little but shift the problem elsewhere and possibly for the worse.
Optimistically, password managers like LastPass and Keepass may see greater use, but in their current state they aren't convenient enough for the average user, since they make mobile apps a pain to use and they require that their databases be accessible on whichever computer the user is trying to use.
Password managers are something I use, have grown used to and would recommend to anyone that is tech savvy. They are probably our best hope for what we're stuck with at the moment. But for the majority, the idea of pairing a data with a cloud-based storage services like Dropbox and setting up all their devices to run a compatible client is prohibitively complicated and not at all convenient for everyday use.
But even if everyone uses completely random passwords, adopts what is arguably the current best practice of using a secure password manager, manages to configure it and cope with the quirks that using it might entail, there's still one fatal flaw that can cause everything to unravel — that password manager still needs a password to open it. And out of convenience, there will still be those who pick a pretty poor one.