Passwords and their Discontents – O’Reilly


This article originally appeared in Business Age.

In commentary supplied to Business Age, I shot my mouth off saying that passwords are a poor solution for authenticating users–but none of the alternatives are very good, either. The choices available to us are at best poor.  So now I’m the victim of a follow-up question 🙂 What do I use?


Learn faster. Dig deeper. See farther.

Unfortunately, “what do I use” isn’t really a choice I get to make–more often than not, you’re stuck with the choices of the people who built the sites you use. So the best you can do is make sure you have a good password. A good password is a long string of random letters, numbers, and punctuation marks. There are a few ways of generating these. The simplest one is to let Google Chrome generate a password for you. (Firefox can also generate secure passwords.)  While Google is widely mistrusted, I think that mistrust is misplaced.  Google hasn’t been the victim of significant security breaches (unlike some well-known password managers), and they really have no interest in selling my passwords to other parties. Yes, zero-day exploits and frequent security updates to Chrome means that there are vulnerabilities–but it also means that vulnerabilities are detected and patched. We should all be much more concerned about software that isn’t updated frequently. 

Creating your own good password is only slightly harder than letting your browser do it for you–and, frankly, easier than creating a bad password (though not easier to remember). I open a text window and type randomly on my keyboard for a few seconds, yielding something like this: oe8h;org’pr/sajidj. (That’s 18 characters, generated in a couple of seconds.) I copy it and paste it into an application that needs a password. If it asks for punctuation, a digit, or a capital letter, I go back to the text window, add something that seems random, then copy and paste again. The copy/paste process lets you fill in the “retype new password” field without error. (If pasting isn’t allowed, I question whether I want to use that service.) Again, I let my browser save the password. It will synchronize across all my devices, which means that I don’t need to maintain a list of passwords.

And what about two-factor authentication (2FA)?  Yes, definitely–use it wherever possible.  A text to my cellphone isn’t ideal, but it’s adequate, and preferable to sending a code to email.  There are ways to attack an SMS to your phone, but it’s not easy. But be careful–I once had an app that would let me text from my laptop. If anyone texted me, it would display the text in a popup window on the laptop, which defeats the purpose of 2FA. In general, you want to receive the security code on a different device from the one you’re using to login. That’s a problem if you’re using a phone; I don’t have a good solution.

Password rotation? I resist that, although an authentication provider that I have to use requires it. The security community has long known that forcing users to change passwords on a regular basis is a bad practice. It encourages users to choose easily remembered passwords, and that’s the opposite of what we want. Think about it: if a random password hasn’t been brute-forced in the past 3 months, why do we think it’s more likely to be brute-forced in the next 3 months?  I get it–companies have to deal with insurers, and perhaps forcing users who are never going to come up with good passwords to change passwords regularly is a win. I don’t want to think about those statistics. But one good password is infinitely better than a bad password that’s changed regularly.

So–that’s what I do. It’s not elegant, and please don’t claim that it represents any “best practices.”  But that’s not really the point. What I choose to do is irrelevant, because I’m at the mercy of the people who create the sites I use. And their practices can be shockingly bad. Here’s a real example. I pay an elderly relative’s medical bills. Let that sink in:  we’re talking one of the most privacy-conscious and heavily regulated industries in the world. Recently, I got a legitimate request to pay a bill, with a link to a site where I can view it and pay. The email tells me that the account number, user name, and password are ALL THE SAME. And the account number is contained in the email. (And easily guessable.) That’s beyond horrendous. 

It’s unfortunate that there aren’t more good solutions out there, and that solutions like physical security keys aren’t more widely used. There was hope that passkeys would make passwords go away, but that hope is fading. Biometrics? If my Pixel phone would do a better job of identifying my fingerprint or recognizing my face when I take my glasses off, we could talk about that alternative. However, wishing that we had a better solution won’t solve the problem. Random passwords (regardless of how you generate them) and two-factor authentication are the best solutions we have now.