That's flawed logic. Most of the analysis comes from the Adobe leakage, and arguably a large share of users there didn't care about this service and used an easy and weak password. It would be much more interesting to have stats from active gmail accounts or bank accounts, for instance.
If the users intend to use some site only once but the site forces the users to make passwords, this is unsurprisingly what the passwords will be.
The users are actually quite smart in deciding how much effort is adequate for the realistically expected risk to them. Unless their perception is manipulated.
What alternative is there? When it comes to authentication, there are only a few categories:
1. Something you know: password, secret question, mother's maiden name. These can be forgotten. If the information is generated by the user, it has the potential to be something easily guessed.
2. Something you have: SSH key, GPG key, RSA token, Yubikey, Google Authenticator. These can be quite secure, but hard to use. Losing a physical auth token deprives the user of access. SSH/GPG key pairs depend on the security of the system(s) they're stored on.
3. Something you are: fingerprint, retina scan, face recognition, voiceprint. These are irrevocable and anathema to privacy. Worst of all, they're not very reliable or secure. Fingerprint scanners are stymied if one has recently been lifting weights or rock climbing. Face recognition is affected by lighting, makeup, glasses, hair, sunburn/tan, age, etc. Voice auth is a joke. It can fail due to emotional stress, sickness, or background noise.
Combinations can be used for more secure authentication, but so far nothing has been as simple or as convenient as a password.
You can split 2. into several pieces which will allow you to recover if you lose something. Imagine you have a SSH key, an authenticator token and a printed physical QR code and you can restore either of that if you have both of the rest.
I quite like the idea of presenting OTK (one time key) to end user in the form of QR code.
A simple example:
Suppose you're already a registered user of XYZ.com. You've just downloaded the XYZ.com mobile app and wanted to login. You then login to XYZ.com and go to the page My Account > My Login Code. I use the built in QR code scanner in XYZ.com mobile to scan the one use QR code on the page. Viola! Mobile app is now logged in and no need to type my 30 characters mix-of-alphabets-digits-symbols password on the phone's tiny little on screen keyboard.
12 comments
[ 3.2 ms ] story [ 37.8 ms ] threadThe users are actually quite smart in deciding how much effort is adequate for the realistically expected risk to them. Unless their perception is manipulated.
Article is garbage: sample is clearly biased.
[1] http://en.wikipedia.org/wiki/FIDO_Alliance
1. Something you know: password, secret question, mother's maiden name. These can be forgotten. If the information is generated by the user, it has the potential to be something easily guessed.
2. Something you have: SSH key, GPG key, RSA token, Yubikey, Google Authenticator. These can be quite secure, but hard to use. Losing a physical auth token deprives the user of access. SSH/GPG key pairs depend on the security of the system(s) they're stored on.
3. Something you are: fingerprint, retina scan, face recognition, voiceprint. These are irrevocable and anathema to privacy. Worst of all, they're not very reliable or secure. Fingerprint scanners are stymied if one has recently been lifting weights or rock climbing. Face recognition is affected by lighting, makeup, glasses, hair, sunburn/tan, age, etc. Voice auth is a joke. It can fail due to emotional stress, sickness, or background noise.
Combinations can be used for more secure authentication, but so far nothing has been as simple or as convenient as a password.
A simple example:
Suppose you're already a registered user of XYZ.com. You've just downloaded the XYZ.com mobile app and wanted to login. You then login to XYZ.com and go to the page My Account > My Login Code. I use the built in QR code scanner in XYZ.com mobile to scan the one use QR code on the page. Viola! Mobile app is now logged in and no need to type my 30 characters mix-of-alphabets-digits-symbols password on the phone's tiny little on screen keyboard.
> 23. azerty
Thank you france.