I was trying to create a Web account with my credit card company so I could update some information. The process was painful beyond endurance and their password policy revealed that they weren’t using the best practices method of hashing and salting with something like bcrypt. I kept thinking that there’s got to be a better way of securing sites than passwords.
Troy Hunt, whose security work Irreal has discussed many times, makes a cogent argument for why passwords aren’t going away any time soon. There are, to be sure, better methods of verifying user identity but none of them is going to replace the password. The reason for that is also the reason you see so many stupid and horribly insecure password policies on the Web: friction.
Users have a low tolerance for friction so Web sites with something to sell make it as easy as possible to sign up and log in1. Otherwise the users won’t be there. Some of the alternative methods don’t seem much harder than using a password but users are familiar with passwords and understand how to use them. That clever, vastly more secure, new method you’re proposing? Not so much.
So companies keep on using passwords even though much better methods exists. Read Hunt’s post for his complete—and much deeper—analysis of the situation.
Footnotes:
Well, other than my credit card company, apparently.