Are users really to blame for poor security?

In two recent stories about authentication and security, much hoopla was made about the lack of password security. In Dan Farber's blog about a 2004 Identity Management Survey, EDS and IAPP concluded it was really the humans that were at fault for the lack of cybersecurity. In another blog, a Microsoft MVP proposed that windows users should start using entire phrases for their password which is referred to as a "passphrase". Along with the fact that passwords are simply the weakest form of authentication to begin with, blaming humans for their insufficiencies or demanding that humans start using passphrases is like complaining that your 2 year old doesn't know how to feed herself. To truly understand what it is to build a secure authentication scheme, the following assumptions must be made about people.

• We're not good at memorizing long random strings of characters called passwords
• We're even worse at remembering multiple random passwords
• We don't like to change our passwords when they were already so hard to remember in the first place
• We like simple passwords
• If you force us to memorize multiple complex passwords and you force us to change them often, then we always have our trusty old sticky notes hanging off the side of our monitors.

The truth of the matter is, well designed authentication themes will protect simple passwords while poorly designed authentication themes can't protect the longest and most complex passphrase in the world. Case in point, authentication mechanisms found in secure SSL Websites or secure Wireless LANs that use PEAP authentication can offer great protection for simple passwords. The real problem is, weak authentication schemes are so common that the most common technologies like HTTP, FTP, POP email, SMTP email, and Telnet all transport your passwords in the clear and no amount of password complexity and no amount of password rotation will amount to a hill of beans. Even common "security conscious" technologies like PPTP VPN or Cisco's LEAP Wireless authentication technology offer little or no protection against medium complexity passwords. I guess the real headline should be, IT firms screw up with weak technology but blames users instead. Ultimately, passwords needs to be completely replaced with hardware cryptographic tokens but in the mean time, at least use secure authentication protocols and stop beating up the users.