[Cryptography] Passwords: Perfect, except for being Flawed

[Kent Borg]

On NPR this morning I heard a nice mangling of the old Churchill line, 
saying that passwords are the worst authentication possible, except for 
all the other systems. It occurs to me there is something deep in that.

Passwords have serious problems, but they are bit like the problems with 
one-time-pads: cumbersome--but otherwise perfect.

There is never going to be a generalized crack of the "password system". 
Even with some fancy Quantum Cryptography, passwords are not going to 
suffer a catastrophic failure. Flawed as they are in practice, passwords 
are a solid tool in principle.

All the alternatives risk failure ranging from major to gigantic. All 
the alternative systems are complicated and brittle. Passwords are 
simple. Distributed. Robust.

Our use of passwords, on the other hand, is terrible. But all the 
alternatives to passwords are worse.

We should quit trying to craft fragile replacements and instead resign 
ourselves to cleaning up our act: quit reusing password the same 
passwords on different sites, pick good passwords, write them down our 
passwords, but otherwise keep them secret*.

* Including not running spyware on our machines and not typing password 
Z into phishing site X.

And then tell the world to do the same.

Passwords are a fundamentally good system, but for their cumbersome 
details. All the alternatives are worse, and I think for rather 
fundamental reasons.

-kb