Computer security and theories on passwording

I believe in simplicity. Not only that things should be simple (though not necessarily easy, just logically basic). Things like security through obscurity and unnecessarily complicated password schemes are all bad ideas.

That said, I don’t like Jakob Nielsen’s suggestion to implement cleartext password boxes. Many others have reacted to this as well, with various reasons.

Nielsen has some good points. Very farfetched, but good nonetheless. Masked passwords make users uncertain, which causes them to choose “overly simple passwords”. Some argue that “most people type from muscle memory“. I do that too, but I argue it only complies to “most people who actually consider security hazards”. We’re more self-encouraged to choose strong passwords and generally more computer-savvy. Most actual computer users have visual or literal memories. They remember/verify the password when they see it.

Also, muscle memory doesn’t work for handheld devices. So Nielsen makes a good point, if it weren’t for shoulder surfing. Though Schneier mentions a reader comment referring to a marvellous solution for that:

A reader mentioned BlackBerry’s solution, which is to display each character briefly before masking it; that seems like an excellent compromise.

But… The problem of good passwords isn’t solved. I strongly doubt that Nielsen’s cleartext boxes will make users choose something they wouldn’t be able to type when they’re drunk. (even though it’s a good idea in the sense of Gmail’s math security)

My personal theory is – in compliance with my love for Occam’s razor – that it might not actually be a problem. Users will always choose easy passwords. So why not – and sorry for stepping on Nielsen’s usability toes – force changing of passwords once in a while? It’s a pain in the ass, I know. But then again, it probably only should be implemented as perceived necessary depending on the service.

OpenID Logo
OpenID Logga

Another way out is if the use of OpenID became more widespread. OpenID would eliminate the problem with keeping track of which password is used where. Also I think it could be used to avoid password phishing attacks etc. if people were used to the process.