We really, really need to move away from passwords as the primary security mechanism. Let me count the ways:
(1) We cannot make people choose hard passwords. We just can't. As proven by recent leaks in which people still, after a million warnings, have the dumbest passwords.
But the problem is more serious: the goalposts keep moving. The current standard - something like 10 random characters - is nearly impossible for people to remember. I use longish passphrases anywhere this is allowed, but it's blocked in lots of places, because, well, we can't have the network overloaded with the extra 19 bytes of data.
(2) Shoulder-surfing and keyloggers are capable of permanently hijacking passwords.
(3) Password managers do not provide the improvement we need - we can discuss this separately.
Who is with me for making http://en.wikipedia.org/wiki/Security_token absolutely ubiquitous? One additional thing I would like, which I think is still not present in any of these devices, is the ability to compute challenge-response internally, without relying on a client program on the computer. Internal computation of challenge-response would make us safer at untrusted terminals.
Oh, I completely agree, nothing is ever a panacea. But there is a difference between a security incident and a fundamentally broken system. And I believe that the current password systems are fundamentally broken in at least 2 ways:
(1) The permanent nature of the password, as opposed to one-time use (a three-month limit changes little).
(2) The current system relies on assumption of certain user behavior - picking true high entropy passwords - which is just.not.going.to.happen. The lectures we give users on how they are living in sin are about as likely to change anything as the programs to educate "the new Socialist man".
(1) We cannot make people choose hard passwords. We just can't. As proven by recent leaks in which people still, after a million warnings, have the dumbest passwords.
But the problem is more serious: the goalposts keep moving. The current standard - something like 10 random characters - is nearly impossible for people to remember. I use longish passphrases anywhere this is allowed, but it's blocked in lots of places, because, well, we can't have the network overloaded with the extra 19 bytes of data.
(2) Shoulder-surfing and keyloggers are capable of permanently hijacking passwords.
(3) Password managers do not provide the improvement we need - we can discuss this separately.
Who is with me for making http://en.wikipedia.org/wiki/Security_token absolutely ubiquitous? One additional thing I would like, which I think is still not present in any of these devices, is the ability to compute challenge-response internally, without relying on a client program on the computer. Internal computation of challenge-response would make us safer at untrusted terminals.