Security and Passwords

Security is hard, reflected by the increasing number of security breaches at high-profile services. Most services use a username and password authentication scheme. The username represents identity, and the password verifies that identity. Developers and consumers alike find passwords difficult to manage. Developers struggle to build systems which securely handle and store passwords, while consumers fail to create sufficiently memorable and random passwords.

There has to be a better way.

However, if we find a better way to identify and authenticate users, it will take time for most services to catch on. In the meantime, how do we create better passwords? The best passwords should roll off the fingers much like an elegant word rolls off the tongue. We humans are good at optimizing movement, provided the movement can be optimized, so why not use that knowledge to create better passwords?

I want to create a password that minimizes wasted energy while typing, accounting for modifier keys. A password which, as a human, I can remember easily. The solution Randall Munroe proposed over at xkcd is a great solution to the memorability problem, but many services have an arbitrary constraint on maximum password length.

As consumers, we don’t want the hassle of managing passwords and making them secure. We turn to password managers to generate and store our passwords. We get frustrated when the experience is still clunky and time consuming. When we have to unlock our password manager with a password. We think, wasn’t this supposed to eliminate the need for passwords? Password managers are a solution that works well enough for most of our use-cases. They also ensure that if one service is breached, the rest of our services remain secure by virtue of having unique passwords for each service.