Amichai Shulman, CTO Imperva: “Passwords are still an initial and effective part of a modern authentication system. Passwords are good for the following reasons:
Contrary to biometrics they can be replaced upon compromise
Contrary to tokens you take them on vacation
“An initiative to improve passwords and password management is a good one. In order to improve on our password habits some changes need to be put into password protected systems. In particular systems should be accepting passphrases rather than passwords. These are easier to create and remember and harder to crack. If users are allowed to choose strong passphrases instead of short awkward passwords they will tend to remember them rather than write them down. Once users choose strong passphrases they will rarely have to be changed (unless at the event of a breach or compromise) and would therefore be easier to remember over time. I truly believe that more systems can be modified easily to accept strong passphrases than other forms of “advanced authentication”.
Colin Miles, CTO Pirean: “The username / password approach for authenticating users is fundamentally flawed in that it fails to adequately serve the needs of either the consumer or the service provider. Users want convenience of access without compromising their privacy or security, while application providers need to ensure only the right people are accessing their services without introducing barriers to access. The password model for access was introduced at the very infancy of internet adoption but it really hasn’t scaled to meet the demands of our increasingly connected world.
“Initiatives to encourage users to undertake good password hygiene (setting unique and strong passwords for different accounts, changing passwords regularly etc) are certainly needed as the password problem is so entrenched in existing technology and services that this isn’t a problem which is going to go away soon. This means that efforts to modify user behaviour to make the best of a bad system should only be encouraged. We are seeing that new, people-centric approaches to security are increasingly coming to the fore. These are the most forward thinking models of all, where the primary challenge is not in respect of how the user should be authenticated, but whether an authentication challenge is needed at all.”