The modern practice of website password authentication is breaking down. I first began using passwords in the 80s to log on to BBS. I selected a password that was four letters, all lower case. In college, the university VAX required five characters, so I selected a new password. Later another system at college required at least six characters. I remember thinking that this was getting crazy. The trend continued. Here is a list completely from my memory on which years and systems I first encountered new password strength requirements.
|Year||System||Required Password Strength|
|1980s||Dialup BBSs||4 characters|
|1993||University VAX||5 characters|
|1995||University Math Department||6 characters, not a word in the dictionary|
|1999||Online Brokerage||6 characters, one number, separate 4-digit PIN|
|2001||Online Payment||8 characters, one number|
|2007||Bank||6 characters, one number, a registration cookie, a login shibboleth screen|
|2008||Company Login||6 characters, one number, one special character, at least one capital and one lower case|
10 characters, one number, one extended ASCII character,
max 3 contiguous letters or numbers, shibboleth screen, PIN
Shibboleth screen - A word I made up to describe a distinctive picture and phrase that the website displays after user name is entered but before the password is entered. If the shibboleth screen does not appear, users are not supposed to enter their password because the website may be spoofed.
Registration cookie - Some websites require additional challenge questions when you log in on a new computer. After that it leaves a cookie that tells the website only to require user name and password.
I invented my “future” password strength requirement out of whole cloth, but I would not be at all surprised to see that those requirements on a website tomorrow.
To remember a complicated password, it’s easiest to use the same password for all websites. I imagine reputable websites store passwords encrypted in such a way that it requires trivial computing power to verify if a user-entered password is right but that would requires enormous time to extract a password given only the file. Most websites submit passwords via a secured webpage so no one can steal the password on its way to the server.
The trouble with this is if any website fails to encrypt its password and users use the same password at every site, someone with that unencrypted list can log into every website the user is registered on. That risk defeats the entire purpose of requiring strong passwords. Unique requirements such as a separate PIN help until other websites adopt the practice and render it no longer unique. This leads to a race to maximum password complexity.
Software can store the passwords, but then the user is dependent of access to that software to log into the all websites. Anyone who authenticates with that software automatically has access to all the user’s websites. I hope websites move to something like fingerprint or face recognition. This opens the risk of someone providing a recorded fingerprint or face image. Devices that read them will have to have additional authentication to show the image data is authentic. No system will be foolproof. What we do now, though, is unwieldy and not all that secure.
Does anyone have a website authentication suggestion that would be easier to use and at leaset as secure as what we do today?