Steven Bellovin is now Chief Technologist of the Federal Trade Commission, and he opened his tenure with an excellent blog entry about passwords: Password Compromises, a follow up to one of former Chief Technologist Ed Felton’s last blog posts in that position, The Problem with Passwords.
Felten’s gist: passwords are tough to do right, need to be protected, and though we’ve been working on trying to fix them for a long time they’re still better than the alternatives. Meanwhile, use a two-factor authentication method wherever possible.
Bellovin’s gist: here are some suggestions for doing passwords correctly and securely, because these are some of the ways that your passwords can be attacked. Oh, and use a two-factor authentication method wherever possible.
As a counter-point, consider Which Password Manager Is The Most Secure?. Decent overview of the issues with passwords and password managers, but the first comment points out that if you use a proprietary web service, then you’re at the mercy of that service (e.g., if it goes out of business, you are kind of screwed). This of course goes for any proprietary solution of any kind, but it is a particularly bad outlook for this application (storing passwords), considering the implications of losing access to all one’s passwords.
Protect those passwords!
