The first post on ‘compliance required stupidity’ addressed how using an email address as a username completely compromised one half of the security available to login set. This post will show how the password compliance requirements further enforces stupidity.
In other words it isn’t the users who are inherently stupid, it is the websites that require stupidity.
Recently I visited a site who let me set a 20 character password without problem. But then wouldn’t let me use it to log in requiring me to reset before I was able to access the first time.
The most totally amazing thing about passwords is that web programmers don’t validate passwords in real time. How hard would it be to test a password and reject the top 250 common passwords? Can’t someone write a script? Or are owners too cheap? It comes down to enforced stupidity to comply.
There is however a different view on passwords. Long complex passwords are only difficult for people, not for computers. Wired (Microsoft) reported in August 2014. Turns Out Your Complex Passwords Aren’t That Much Safer
In the article Robert McMillan eloquently addresses the issue that passwords which are often unsecured on service provider servers. This alone represents a very serious threat to passwords. It doesn’t matter how long it is if the servers collecting aren’t secure. He concludes: ‘Either way, pinning your security on an insanely complex password is a fool’s wager. Just ask the people running the airline, travel and social networking sites that got hacked by Alex Holden’s Russian hackers.’
So compliance required stupidity is the legitimate scion and heir to the throne of stupid website owners. These sites are like black holes of intelligent internet security. And like black holes, they have their own event horizon, to which nothing intelligent action ever escapes. That event horizon is the ‘User Name and Password.”
Blaming users for stupid passwords are excuses.
We need to eliminate the user name and password! Here’s how.
WAY too many sites that simply don’t work with long/complex passwords. These sites employ developers who are trained by other people’s incompetence to keep it in the 8 ~13 character range and not allow dingbats or symbols. (Dingbats in p The worst offenders won’t even allow spaces or special characters.
BPID is on a mission to eliminate the password in 2016. We are seeking partners to assist in making password-free a reality. Our asymmetrical data system makes eliminating the password possible without compromising security or convenience. Stay aware of our progress, please join us by signing up for our news at bpidsecurity.com.