| Thursday May 26th 2016

Passwords suck

Google cryptographer and all-round security expert Ben Laurie’s been blogging some great security thinking lately. Today he’s got a really fascinating, thoughtful piece about the problems of passwords…

iphone XraySo, where does this leave us? Users must have passwords, so why fight it? Why not admit that its where we have to be and make it a familiar (but secure) process, so that users can actually safely use passwords, phishing-free?The answer to this is deeply sad. It is because we have done a fantastic job on usability of passwords. They’re so usable that anyone will type their password anywhere they see the word “password” with a box next to it. Phishing is utterly trivial because we have trained the world to expect to be phished every time they see a new website.

Of course, we can fix this cryptographically – that’s easy. But let’s say we did that. How do we stop the user from ever typing their password into a phishable box from this day forward? So long as they only ever type the password into the crypto gadget that does the unphishable protocol, they are safe, no matter who asks them to log in. But as soon as they type it into a text box on a web page, they’re screwed.

So, this is why passwords are the worst usability disaster ever.


Related Posts: On this day...

Reader Feedback

2 Responses to “Passwords suck”

  1. Clay says:

    I was looking for this the other day. i dont usually post in forums but i wanted to say thank you!

  2. Mike says:

    I’d like to convey my respect for your generosity in support of people that have the need for guide with this particular concern. Your special dedication to getting the subject matter all over had been wonderfully productive and also have all the time made specialists much like me to accomplish their wishes. Your own priceless guide means a good deal to me and to my workers in offices. Thanks for your time; from everyone of us.

Leave a Reply

You must be logged in to post a comment.