There’s been a lot of articles on password safety popping up these past three months. By now, you’ve probably read (and maybe even written) several pieces on the subject. Interestingly enough, it seems we’ve been complaining about the way we deal with passwords for a long time now: Robert Hensing wrote about it in 2004, Jeff Attwood in 2005 — we even have an XKCD comic strip.
In case you missed the topic, a quick summary: for some reason, we’ve been using (and teaching to use) convoluted passwords, filling them with symbols and numbers, making them harder and harder to remember. Funny thing is, most of these tricks involving obscure passwords are not that effective in making a password safe. In the end, the property of a password that linearly scales with the complexity to crack it is length, not the amount and position of
Well, I’m not here to discuss the issue. I’m here to blame someone. And that someone is us. It’s our fault.
We, the developers/designers, have been pushing the way people think of passwords in the wrong direction for years and years. We’ve rejected their passwords time and again because they didn’t have enough numbers, or upper-case letters, or because they didn’t begin or end in a particular fashion. We’ve even created pretty password safety meters, that react with a bright shade of green when we type a symbol in, or when we alternate letters and numbers in an impossible-to-remember combination.
In short, we’ve been feeding everyone a huge lie: we taught users to think that if they have a hard time remembering a password, then it’s safe.
Now that we’ve all agreed that a short, easy to remember phrase such as “this password is really secure” is much more safe than a convoluted tangle of symbols, why don’t we stop including those deceiving safety meters? Why don’t we stop demanding numbers, symbols, upper-case and lower-case? Why are we still spreading the belief that the more complex a password is for us, the harder it is for a computer to break?
Why don’t we demand, instead, that passwords have three or more words? Why don’t we include a short password tip with an example phrase, rather than an exemplar mess of symbols?
Why don’t we just stop saying password already, and start asking for passphrases?