Pro:
- Portable: Passwords, being stored in a person's memory, can be taken anywhere.
- Durable: Passwords, being non-physical, can't be "lost".
- Convenient: Quick to set up, requires no special client software.
- Ephemeral: If I change my password, the old one is gone!
- "Secure": Password strength is roughly proportional to length and alphabet size. A password can potentially be unguessable.
- Static: The password is the same every time.
- Anonymous: A password is not a unique identifier tied to a person. If I know someone else's password, I can authenticate myself as them.
- Forgettable: I
forgot4gotforeg0tfeurgot4Gottwhere did I write that darn thing down... - Potentially insecure: Memorable correlates with guessable, especially if it's based on PII, or uses "standard" sub5t1tu7i0ns 4 l3tters.
In this industry we're very good at finding the flaws in any strategy. At this moment, however, I've noticed we have more flaws than solutions. Reading that post today about the XSS attack against password managers (http://ha.ckers.org/weird/xss-password-manager.html) has me thinking that passwords might not be the best solution, but at least we understand the risk! As I see it now, passwords are at once never and always appropriate, in a world where eventually every solution we use will be broken.
ReplyDeleteSo, unless you've got any ideas about how to stop smart people from breaking things and publishing it on the internet...