In his newsletter last week my colleague M.E. Kabay points us to a draft release of a new paper from the National Institute of Standards and Technology (NIST) called the "Guide to enterprise password management." Maybe next they'll draft guidelines for the proper use of buggy whips!To their credit, the authors (identified as Karen Scarfone and Murugiah Souppaya) do begin with this caveat: \u201cOrganizations should be aware of the drawbacks of using password-based authentication. There are many types of threats against passwords, and most of these threats can only be partially mitigated.\u201d Well, duh!They immediately go on to say \u201calthough the existing mechanisms for enterprise password management can somewhat alleviate this burden, they each have significant usability disadvantages and can also cause more serious security incidents because they permit access to many systems through a single authenticator.\u201d Well, yeah, but only if you institute Single Sign-On (SSO) as part of the \u201centerprise password management\u201d system. But password management doesn\u2019t \u2013 and shouldn\u2019t \u2013 require an SSO component unless it\u2019s protected by either a multifactor authentication system or, at least, something stronger than a username\/password login. In fact, I\u2019d go so far as to say that the use of an enterprise-wide SSO system should require multifactor authentication.To their credit, the authors immediately add \u201c\u2026organizations should make long-term plans for replacing or supplementing password-based authentication with stronger forms of authentication for resources with higher security needs.\u201d If I were editing, I\u2019d remove that last phrase (\u201cfor resources with higher security needs\u201d).What follows in the NIST paper are thirty pages of password history, a review of password threats, password creation policy, and a thorough review of available password management technology. While it makes for interesting reading (from a historical and cultural perspective), it \u2013 to me \u2013 is like the United States Environmental Protection Agency (EPA) publishing a paper on managing coal-fired furnaces for electrical generation.\u201cManaging\u201d a technology doesn\u2019t make it a less unsafe technology.Username\/password as sole authentication method needs to go away, and go away now. Especially for the enterprise but, really, for everyone. As more and more of our personal data, private data, and economically valuable data moves out into \u201cthe cloud\u201d it becomes absolutely necessary to provide stronger methods of identification. The sooner, the better.There is one way I could countenance passwords (but only passwords that bear the same relationship to traditional choices - dog\u2019s name, street name, etc.), Gigabit Ethernet has to be the \u201ctraditional\u201d Carrier Sense Multiple Access with Collision Detection (CSMA\/CD \u2013 10 megabit ethernet) I was installing 20 years ago. We\u2019ll talk about that next time.