You might have read about [Bill Burr regretting his NIST distributed advice about passwords].
Passwords are terrible and the computer industry has been trying to figure out ways of doing things better than them for years and years.
Really, the break down is that having numbers or capital letters in your password doesn’t help that much. Having a longer password is markedly better.
[xkcd’s guide] is a great one for how to make a strong, but memorable password. The trouble is that those long, all lower case lettered passwords don’t meet anyone’s mandatory password requirements. You have to have a number in there. You have to have a capital letter in there.
Take a look at [How Secure Is My Password]. Really what it does it guess as to how long a modern computer brute forcing a password would take to crack a password. Here’s a few examples:
Looks good, capital letter, a couple numbers, and a special character. It thinks it’d take a modern computer four weeks to crack. I’d guess it’d be shorter than that with some cloud based, distributed work.
mary had a little lamb
No upper case letters. No special characters. No numbers. Must be a real bad password, right? It’d take about two quintillion years. I was going to type out all the zeros but I realized I have no idea how many zeros go into that. And it doesn’t matter. By the time that password gets cracked, you’d be dead anyway.
I get questions from time to time about why we’re not going all biometric. Why aren’t we using our fingerprints for everything? It’s built into many American’s smart phones, why not just use that to authenticate everything? The primary reason I give - if you lose control of your password, you change it. If you lose control of your finger print, you’re screwed until we can plastic surgery you new finger prints, which might defeat the entire purpose of biometrics. We’re not quite to the point of retinal scanning, but same thing goes for it.
I think that having some sort of personal, hardware based key would be a good idea, but I’ve never read anything that sounded like a solid implementation of this. And, if taken to the extreme, what happens when you lose the single piece of hardware that identifies you as you to everything else? That’d be a bad day.