Last month a hacker posted 32 million user passwords stolen from RockYou, an online entertainment company with apps and widgets for Facebook and MySpace. The huge dataset was clear confirmation of something security experts have known for years: most users choose weak, easily crackable passwords. The most frequently used were "123456," "password," "rockyou," and common first names, all easily guessable or hackable with a dictionary attack.
Yes, this is a big problem, and yes, we all ought to choose more complex passwords. Unfortunately, pundits have wagged their fingers about this issue for at least 20 years, and users' password habits have not changed. IDs and passwords put security at odds with usability. Most users will always resent authentication as an annoying barrier between them and the content they want.
Currently, password security almost always comes at the expense of usability. You've likely heard the frequently cited guidelines: don't use dictionary words; use different passwords for every system; mix in non-letter characters. Your system can enforce all these rules, but you may end up with greater user abandonment. Even users who succeed in registering may need to write the password on a sticky note or forget it immediately.
Passwords and passphrases
About nine years ago, I wrote an article with some password UI tips, but I didn't touch on the issue of password strength.
Today many systems use an interactive meter to indicate how difficult a password would be to crack. This is a nice feature for promoting more secure passwords, but it doesn't promote memorability.
If UI designers would universally replace password with the term passphrase, that label alone might prompt users to generate longer, more memorable codes. Even with just a few short dictionary words, phrases are much more difficult to guess than a typical password.
There are now common-ID systems like OpenID and Facebook connect that can log you into multiple sites with the same password. Of course, if that password is compromised, so are all the sites it unlocks. So the incremental enhancements of the past several years often still pit password security against usability.
Multiple factor authentication
More advanced and expensive systems use two-factor authentication. The factors in this case refer to the proverbial authentication triad "what you know, what you have, and what you are." This matches a password you know with a physical token you have (a piece of hardware like a smart card or USB thumb drive). Just like using an ATM, if you have a token, you can match it with an easy-to-remember PIN and be both usable and fairly secure.
Two-factor authentication is on the rise for corporate IT authentication and high-end software, but there's no way mass-market websites like Facebook could afford to send ATM cards to all its members. A snail-mail turnaround time would be unacceptable too. Though if you assume that all your users have mobile phones, you can implement a quick two-factor system on the cheap.
The third factor above, "what you are," falls into the domain of biometrics. Retina or fingerprint scans may seem like science fiction, but my last two HP laptops have come with fingerprint scanners. Unfortunately, their software was buggy, and I would accidentally launch it by resting my hands in a normal typing position. Clever use of laptop webcams with facial recognition sofware soon may allow seamless authentication by just looking at your laptop. It doesn't get much more usable than that!
Do you have best practices or examples to share? Please post them in comments. It should be easy enough to log in ...