I just came across this post over on Wired about password flaws. I encourage you to read it and consider what it has to say. In a nutshell (for those of you who stubbornly decide to NOT read it), it argues that passwords are ineffective, so long as password recovery is so easy to do. In other words, I can have the best password in the world, but if I can reset that password by just stating my name, my address, and my birthplace, then what's the point in having such a strong password? Someone can just call and have it reset to something they know.
It's an excellent point, and a very scary one. So much of what we do these days is tied up with our online activity. Technology needs to come up with a way to keep that happening--and keep it secure. I'm not sure what the answer to that is, but I know the first step is for people to start demanding that the companies they use online work hard to secure their information. One potential solution is to start using other technology to supplement security.
For example, when I play online games through Blizzard, I have an authenticator on my iPad. Once a week (or when I try to change important information), it asks me to put in a code that authenticator generates. I open my iPad, start it up, read the code, and voila! I'm in. This could be problematic if I lose the iPad, but there are some ways to get around that. They typically involve texting a code to your cellphone. It's true that if your iPad and cellphone get swiped, then that opens you up to trouble--but no more trouble than we're already all in *right now* anyway.
Biometrics is another possibility, but they need to be good enough to be fairly hard to beat. Right now, you can use a photocopy of a fingerprint to get past a fingerprint scanner. That's not security. That's laughable.
Then again, judging by how many people still use 123456 as their passwords, maybe I'm thinking about this too much. Maybe people really just don't care.
What do you think?