Over at acmqueue William Cheswich has an interesting article on Rethinking Passwords. After listing the usual litany of problems with passwords as a security measure, Cheswick traces the historical roots of the problem. He says that we are stilling using recommendations laid down in the “Green Book” from 1985. The Green Book—formally Password Management Guideline (Technical Report CSC-STD-002-85)—was one of a series of government publications at the time. The recommendations made a lot of sense at the time and some of them are still applicable today but they were promulgated at a time when the estimated rate of trying passwords was 8.5 per minute. Cheswich says that in many respects we have failed to move on.
He has some recommendations but they are pretty much the usual fare. They all make sense but suffer from the facts that
- We can't get the sites to implement reasonable password policies and even if we could,
- We can't get users to give up using “password” as their password on every site they visit.
Still, Cheswich has some interesting ideas and the article is worth taking a look at.