Hopefully Heartbleed is an exception but I think this XKCD comic needs to be a prerequisite for any discussion on the topic: http://xkcd.com/936/
There are multiple issues but one of them is computing has advanced and 6-8 digit passwords containing any combination of letters/numbers simply will no longer do if someone gets access to stored hashes.
Nearly every website on the Internet has a password policy that is simply wrong. Full sentence passwords are both easier for people to remember and harder to crack than passwords like qDF#@1^*m and most people use one or 2 word passwords that are not even random. I have seen the XKCD topic debated multiple times at multiple places and everyone always brings up the same handful of debunked arguments against it.
Full sentence passwords don't have to be limited to only lower case letters and they are a good next step in security that more websites need to take. Its as simple as websites relaxing some of the password requirements for passwords that are a sufficient enough length but convincing companies to adjust their long held incorrect views on password policies is an impossible task.
I agree that if biometric data does end up compromised its much harder to change.
Another point I want to mention is credit cards and tokens. I don't understand why eCommerce sites I use need to store my credit card credentials that could be copied by hackers and programmed onto a new card. I actually had this happen where after one of the many famous credit card database hacks some random person in an Atlanta Walmart used a clone of my credit card for about $500 in purchases. To my knowledge they were not caught.
A simple method to avoid this that should probably be used is after a first transaction between say Amazon and my credit card company, my credit card company should issue them a permanent token to be used by them for all future transactions and they would save only that token. This way if someone compromises their credit card database the token they obtain would be useless to them. Considering how much money it would save in fraud I can't imagine why the technical limitations wouldn't be worth it.
Another measure that the US may see is a PIN number for the card at a physical point of sale instead of only a signature. I could literally sign my name as "Stolen Card" and nobody would notice.
Robert Walther
WOW! I have my new password!
"warns us that although biometric information may be more secure than passwords" -- No. It's terribly easy to get your fingerprints by e.g. lifting them off a glass, smartscreen display or similar shiny surfaces. And once your fingerprints have been lifted there is no way of fixing that other than physically mutilating your fingers themselves. All the smartphones with fingerprint readers have already been provably compromised, there's an episode of Mythbusters where they compromise fingerprint - systems and so on. Passwords, at least, cannot be lifted from your mind.
Ralf Biernacki
I agree completely with Diachi. I've been attempting to use a technique similar to the xkcd idea---stringing together several random words. I had to run them together into a single long word without spaces, because 99% of sites will refuse spaces in passwords for no sensible reason.
But I've been frustrated at every turn. Most sites have this silly "one digit, one cap" and sometimes "one dash"* requirement. This just makes it more difficult for me to remember, but it's still less secure than a longer word. But guess what, most of them will simply not accept long passwords. This is frustrating and idiotic, as a long password is the best password.
Capitalization and digits hardly matter anyway. 99.9% of users, when forced to use a cap letter, will capitalize the first letter. I do it myself; it's marginally less secure, but the consistency makes it possible to remember the password. And adding a digit is actually less effective than adding another letter. Nobody in his right mind will mix digits randomly with letters, because that password will be illegible and unmemorizable to the user, and only marginally harder for the hacker. The alternative to memorization is of course writing the password down; I don't need to tell you how self-defeating this is.
Let us suppose that a user comes up with "trolololo" as a password (not my actual password, duh). When a site requires a cap and a digit what's that user gonna do? That's right. He'll write "Trolololo1". It's extremely unlikely that he'd write anything else. So what good does the "cap and digit" requirement do? Absolutely no good. It just wastes your time and annoys the pig, as the saying goes.
____________________________ *They say "a punctuation character" but in truth many login scripts will choke on most punctuation characters. Just forget about quotes, slashes or asterisks; about the only consistently acceptable "punctuation characters" are the dash and the underline. Again, what's the point?
"Passwords have been around as long as the Web."
They've been around a lot longer than that. Computers have used passwords for as long as there have been user accounts. And even before that, passwords have been used to control access to facilities or information for as long as anyone can remember.
Marco C
Biometrics could still be a good option if we remember that we have 10 fingers and we could use them in combination and add some additional modifier to scramble the encrypted biometric validation.
Of course, it's still not ideal, but lifting all 10 digits from someone's glass and inputting them in the precise combination of scans and keywords for instance would make it a lot harder for hackers and still fairly easy for the user. Certainly better than biometric or passwords alone.
I also agree that keyphrases need to be accepted more readily by more websites. Especially banks and e-commerce. There are plenty of websites where I don't use my real name, nor I use my main email and where I don't give a crap if anyone cracks it. They would get meningless data and a bunch of posts I made in 2008. Big deal.
The real risk is sites that have your address, a portion of your credit card and so forth.
Credit cards should have a fob built in to them anyway for validation AND a passphrase.
I saw a recent example that suggested what amounts to a conventional password reset mechanism as the auth system. It's essentially a token system where it sends you a password or similar unique identifier via a separate channel (e.g. email or SMS) and you then use that token to log in, the idea being that your access to that channel is secured.
There's also Mozilla's Persona system which externalises a process similar to that: https://developer.mozilla.org/en-US/Persona
I'm also reminded of the Scott Pilgrim password scene: https://www.youtube.com/watch?v=rX_F2YYUUMQ
What about SQRL? I think it's pretty neat, although not optimal because it requires a camera phone.
"Biometrics could still be a good option if we remember that we have 10 fingers and we could use them in combination and add some additional modifier to scramble the encrypted biometric validation." This sounds like a cool idea. If the scanner is fast and accurate enough to read 10-100ms taps. Password could be like index, index, middle, index tap code. But it still requires extra hardware, so it's impossible to put everywhere.
I use the password manager RoboForm to keep my information secure. It helps me to create unique passwords, so I don't have just one password opening the doors to all of my information on the web in a case like this. It also made it super easy to change any passwords to sites that were vulnerable to the Heartbleed bug, which could have otherwise taken hours for me to do. I recommend buying RoboForm to anyone who uses the internet for anything.
@Nat1987 LastPass and KeePass are free alternatives. They both use an encrypted password file but LastPass syncs the file to the cloud and I think KeePass doesn't. LastPass is probably better for using multiple computers simply but you can still sync the local pass file with KeePass by storing it on Dropbox. Dropbox doesn't encrypt your data natively (although the pass file still would be) but you can run nCrypted on top of it to encrypt your dropbox data.