This whole issue represents a failure of our industry, i.e. we still haven't provided a cost effective, easy to use replacement for this obsolete technology. Even the US Government (hardly a bastion of technological leadership) admitted 10 years ago that passwords were obsolete, so here we are still worried about all of those users who can'/won't apply the proper bandaids to this poor authentication tool.

For a cryptographically secure, easy to use, and widely accepted authentication mechanism, we would probably need certificates stored in smart cards or USB tokens. But since most computers don't have card readers, and not all OS's have support for USB, and there is no universally accepted PKI (Verisign is close), we just have no workable solution.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/245/26584#26584