Security is as much about cryptography as it is about human factors and
business drivers. You can make things resistant to brute-force attacks
by using longer keys, but people are still going to pick bad passwords.
Yes. But:
You can force them to pick "good" passwords by rejecting their first 37
choices, but all that does is encourage them to write the passwords down
on sticky notes.
There is nothing wrong with writing passwords down on sticky notes.
(Well, figuratively speaking. Perhaps not *literal* sticky notes, since
they are too easy to lose.) You have to ask, what is the threat you are
trying to defend against?
If your threat is that the Secret Police will break your door down at
3am, and smash your fingers one at a time until you give them your
passwords, then strong passwords that only you remember will not save you.
If the threat is that your little brother will log into your hotmail
account and send rude messages to your school friends, then writing your
password down on a Postit and sticking it on the computer is insecure,
but keeping it in your wallet or purse may be secure enough.
Today, one of the biggest (but not the only) threats most people face is
the mass theft of passwords from idiot organisations that store them in
insecure databases as plain text. There's not much we, the users, can do
about that, except complain complain complain when it happens. Possibly
sue, on the basis that storing passwords as plain text is not within a
million miles of best practice or even standard practice.
Another threat comes from black-hat hackers breaking your password.
Whether they want *your* password specifically, or just picked your
account randomly, this is where strong passwords can have a good effect.
Until such time as an attacker can reach through the Internet to read the
password on your Postit Note, writing down your strong password and
keeping it by your computer is an effective way to counter this threat.
And, yes, you can make things more secure with 2FA, but there's a cost
there. You have to purchase and manage the infrastructure. More than
that, there's lost business if potential customers prefer a competitor's
product because it's easier to access. Many of the known insecure
systems we use today are not that way because the people who run them
are stupid; they're that way because the people who run them have worked
the numbers and decided the cost to implement more secure systems would
exceed the risk exposure.
While in principle you are right, in practice I think that most of these
people and organisations start from number of dodgy assumptions, starting
with "Meh, it'll never happen...". They underestimate the risk,
underestimate the consequences, ignore costs that don't apply solely to
them (e.g. the cost of spam sent from tens of millions of compromised PCs
and gmail accounts), overestimate the strength of their half-baked
solutions, and ignore the portion of their user-base who actually does
want better security.
When they do make a half-hearted attempt at security, it's often security
theatre, e.g. I have a bank account with one bank that doesn't let you
type your password, instead you have to click keys on a simulated
keyboard on screen. You're limited to *six* (SIX!!!) case-insensitive
alphanumeric characters, letters and digits only.
And then, to add insult to injury, they have the fecking cheek to hassle
you every few months to change your insecure password for another
insecure password, thus increasing the chance that you'll forgot what it
is and lock yourself out of the account. This encourages people to choose
even weaker passwords, so they won't forget them.
Another bank I use eschews such ridiculous "security" and actually
provides you with a real cryptographic key for which you have to provide
a passphrase. A passphrase limited to *eight* alphanumeric characters.
And I think it is case-insensitive, although I haven't actually tried it.
I expect that these idiots spent more time, effort and money *preventing*
their users from putting in strong passwords than they would have spent
to allow strong passwords.
We recently got a frothing email from a user, which basically said, "You
farking idiots, you emailed me my password in plain text!" It turns
out, his user name was the same as his password and what we had sent him
(in response to an account recovery query) was his username. In
response to that, we altered our account generation process to forbid
passwords which are too similar to your chosen username or email
address. Which, of course, means we've taken one more step down the
road to forcing our users to write their passwords on sticky notes.
That's a good thing.
People have managed physical keys for *centuries*. Yes, there are a class
of threats where you lose your key, or someone steals it, or makes a
copy, but the risks are well-understood and can be managed even by your
grandmother. We have good solutions for those problems that work well,
and many of them apply just as well to sticky notes with secure passwords
written on them.