Someone wrote a paper in 2003, and because of that, we are forced to live with a variety of password complexity rules. Now, it turns out that man, Bill Burr, then manner at the National Institute of Standards and Technology (NIST), regrets much of those recommendations he made. I think pretty much all of us do too.
The NIST is now trying to update those recommendations. But we’re already stuck with a lot of systems, applications, and various other occasions demanding passwords, that will continue requiring awkward passwords for a bit more time.
We need something better than passwords. Stronger passwords help, but not by a lot, and don’t solve many of the problems we face.
Indeed, I got really annoyed with myself earlier this week. You see, I forgot my password. Not just any password, but the master password for my password manager. Yes, oh yes, what a bummer.
I think it happens to others too, at least once in a long while. You have a password. You know it pretty well. You’ve been using it many times, and you always remember it. Then one fine day, for no particular reason at all, you just suddenly have a mental block, and you absolutely cannot remember that password. Or a part of it, like it was in my case. You get stressed trying to remember it, and the more you try to remember, the more stressed you get, and that makes you unable to recollect it.
Then either a couple of hours later, or day or days, suddenly it comes back.
That’s what happened. I was so annoyed.
Thank goodness I wasn’t greatly inconvenienced, because I was already logged in to many things that i needed, and I did actually still remember the passwords for a number of systems/services that I needed the passwords for, and for those I hadn’t turned my passwords into completely random gibberish. I was lucky, because I do have many passwords, particularly for sites I don’t trust (i.e. I expect that some hacker will one day make away with plaintext passwords from those sites), which are made up of truly random gibberish.
I was lucky too that I had a locked copy of the passwords on another device, the locked copy that could be unlocked by fingerprint securely. That wasn’t on my Mac, unfortunately. Touch ID could not save me on my Mac, because the master password was required first before Touch ID would work.
So I thought, of course, and now while I agree that there are certainly vulnerabilities with dependency on fingerprints, that it could have helped avoid the necessity of a very strong, complex, awkward, passwords. The fingerprint can still be used in combination with a reasonably good password, or passphrase.
Or do whatever it takes, through some better solution, but stop forcing us to think of awkward passwords.
Now to avoid any temporary amnesia over my master password, I’m tempted to write it down somewhere. No, just kidding. But clearly I need some recovery plan.