Troy Hunt: Here's Why [Insert Thing Here] Is Not a Password Killer


23 bookmarks. First posted by tamberg 14 days ago.


by Troy Hunt. Briefly, passwords have the great, perhaps insurmountable, advantage of being extremely easy to understand. Many alternatives to passwords are now competing in the marketplace, and many of these are in fact superior to passwords in many ways. But all of them are more difficult (usually *much* more difficult) to understand than passwords. Every person understands how a password works. That understanding does not, in general, lead people to good practice in *using* passwords, but everyone *understands* them and how they can be compromised. (Everyone understands that if someone else finds out your password, that person can “pretend to be you” by logging in to your account.)

Also to read:

- https://www.troyhunt.com/passwords-evolved-authentication-guidance-for-the-modern-era/
-
security  password 
4 days ago by DGrady
<p>Despite their respective merits, every one of these [proposed] solutions [to "replace the password"] has a massive shortcoming that severely limits their viability and it's something they simply can't compete with:

Despite its many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.

This is where we need to recognise that decisions around things like auth schemes go well beyond technology merits alone. Arguably, the same could be said about any security control and I've made the point many times before that these things need to be looked at from a very balanced viewpoint. There are merits and there are deficiencies and unless you can recognise both (regardless of how much you agree with them), it's going to be hard to arrive at the best outcome…

…Almost a year ago, I travelled to Washington DC and sat in front of a room full of congressmen and congresswomen and <a href="https://www.troyhunt.com/heres-what-im-telling-us-congress-about-data-breaches/">explained why knowledge-based authentication (KBA) was such a problem in the age of the data breach</a>. I was asked to testify because of my experience in dealing with data breaches, many of which exposed personal data attributes such as people's date of birth. You know, the thing companies ask you for in order to verify that you are who you say you are! We all recognise the flaws in using static KBA (knowledge of something that can't be changed), but just in case the penny hasn't yet dropped, do a find for "dates of birth" on <a href="https://haveibeenpwned.com/PwnedWebsites">the list of pwned websites in Have I Been Pwned</a>. So why do we still use such a clearly fallible means of identity verification? For precisely the same reason we still use the humble password and that's simply because every single person knows how to use it.

This is why passwords aren't going anywhere in the foreseeable future and why [insert thing here] isn't going to kill them. No amount of focusing on how bad passwords are or how many accounts have been breached or what it costs when people can't access their accounts is going to change that.</p>


Essentially, we're stuck with what we started with, because it's so widely used. Though biometrics on phones do offer even less friction, and are increasingly hard to fool.
security  password  usability 
13 days ago by charlesarthur
Here's Why [Insert Thing Here] Is Not a Password Killer
from twitter
13 days ago by codepo8
via Pinboard (Popular items from Pinboard) https://pinboard.in/popular/
IFTTT  Feedly 
13 days ago by sbmandal

Despite its many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.
security  password  usability 
14 days ago by jefframnani
05 November 2018 These days, I get a lot of messages from people on security related things. Often it's related to data breaches or sloppy behaviour on behalf…
from instapaper
14 days ago by glessard
"...on a fairly regular basis, I get an email from someone which effectively boils down to this: {Hey, have you seen [insert thing here]? It's totally going to kill passwords!} No, it's not, and I want to articulate precisely why passwords have a lot of life left in them yet...
14 days ago by SecurityFeed
the conversation is going to get shut down as soon as you start asking companies to impose friction on their user
frixion-fric.psy 
14 days ago by mngful
Despite it's many flaws, the one thing that the humble password has going for it over technically superior alternatives is that everyone understands how to use it. Everyone.
security  ux 
14 days ago by tamberg