Web surfers drowning in a deluge of passwords


Passwords have outlived their usefulness, now being one of the poorest forms of security as well as very difficult to remember and use.

So claims Gridsure chief executive Stephen Howes, who said in an interview with IT PRO that organisations still used them as they were thought of as the "cheapest" option.

He quoted a statistic that said that, on average, people needed to remember 12 passwords, but that most wouldn't bother with different ones, instead reusing them, which was obviously very unsafe.

"We have got to the point now where passwords have started to outlive their usefulness, and to try and drag them out just that little bit longer we've sacrificed usability," Howes said.

"People are lazy. They want a life of convenience," he said. "They want things now and they want things handy. People leave busy lives. Do they really want to start worrying about complicated passwords?"

Howes said that passwords provided a "basic level of security," but in many cases, such as phishing and social engineering, they were the "lowest common denominator."

"It's becoming a lot easier to deduce what passwords are," he said. "I think that passwords will always be there, but it will come to a point where people put them in a box to what their real value is."

Google recently revealed that it was working on new system called hybrid onboarding', a technology also used by Facebook, Yahoo and Plaxo to cuts down the number of passwords a user has to remember.

Using a combination of OpenID, OAuth and Portable Contacts technology, it could, for example, allow somebody to register on Facebook with information from their Google account.

In a blog post, Google wrote: "Hybrid onboarding is also being used by enterprise SaaS vendors that want to eliminate the need for employees to create another password."

"In addition, after a thorough evaluation of the security and privacy of these technologies, the same techniques are being piloted by President Obama's open identity initiative to enable citizens to sign in more easily to government-operated websites," the post added.

Howes said that hybrid onboarding was a very good step in the right direction, but was worried that the average user would not understand the concept of having a third party managing their login process.

He was also concerned about the way OpenID was "putting all your eggs in one basket".

"Using static passwords to protect that basket is in my opinion, not a particularly secure means of safeguarding," he said. "If someone were to break that one password, they would potentially enter Aladdin's cave."