Since most users reuse passwords or use variants of it, we should push the industry towards something like PCI DSS for storing passwords and other user metadata. While PCI had credit card vendors to push it through, how can we do the same for user passwords and metadata?
Maybe industry consortium of the big players volunteering to use one. If compliance is expensive, new startups need not use it and consequently users will use a 'less important' password for these class of websites. Or they will use a 'Stripe' for identity.
PCI only "works" because the credit card companies have the final say on who can accept payments from their cards. It's a powerful position to be in, and they use it skillfully.
We are neither in the same position nor should we try to put ourselves there: the solution to password reuse is not stronger provider security, it's stopping password reuse. We're in the future, we have password managers and the integrate with the tools we put passwords into. There is no longer any reason that a human needs to remember hundreds of unique passwords, and thus no reason for a human to reuse a password in lieu of remembering multiple.
2 comments
[ 1.6 ms ] story [ 15.2 ms ] threadWe are neither in the same position nor should we try to put ourselves there: the solution to password reuse is not stronger provider security, it's stopping password reuse. We're in the future, we have password managers and the integrate with the tools we put passwords into. There is no longer any reason that a human needs to remember hundreds of unique passwords, and thus no reason for a human to reuse a password in lieu of remembering multiple.