I have long argued that passwords are a terrible way of authenticating identity.

Here's why:

* Many well-meaning but unaware people choose really stupid, easy-to-guess passwords such as the names of people important to them (or favorite sports teams, or the product whose billboard is visible from their office window, or the names of objects on their desk).

* Good passwords increase the keyspace not only by being longer but also by using upper- and lowercase letters, numbers and special characters - resulting in monstrosities such as “j3q(K8bX_*5” – and let’s not even think about allowing “O” and “0” in the character set.

* Some users generate their passwords using funny rules such as using particular letters from the words in phrases (e.g., using the third letter of each word in “Mary had a little lamb; its fleece was white as snow” produces “rdatmsesiso”) - and then they forget the rules.

* People sometimes use numerical increments to get around rules preventing password reuse (e.g., fisu3nema, fisu4nema, fisu5nema. . .) thus compromising their next password as soon as the current password is discovered.

* Users often use exactly the same password for everything (their private Web e-mail, their corporate professional e-mail, their DVD-club login, their talking-slug club - everything) with the result that any single password compromise is a potentially complete security compromise.

* Making passwords hard to guess forces many people to write them down.

* Physically recorded passwords get stored in the same places network security auditors have always found them: in desk drawers, under keyboards, under chair seats, in files labeled “C:\passwords.txt”and even in plain view on the back (or front!) of video screens.

* When people do pick hard-to-guess passwords and don’t write them down, they often call the help desk or security administrator to reset them because they forget them, causing a great deal of irritation and wasted time for everyone concerned.

A study published last year by Nucleus Research reported findings on user behavior concerning passwords. To no one’s surprise, the researchers found that “More than a third of employees write down or electronically record their passwords, creating significant vulnerabilities. Even worse, lowering the quantity of passwords, changing password complexity, or changing password change frequency had no impact on employee actions.”

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.