What To Do About Passwords


Password Authentication is known to have many vulnerabilities but do we have any real alternatives?

What is Wrong with Passwords#

Password Management#

Password Management is typically the methodology implemented in large organizations to deal with password issues.

Password Management Methodologies shows an overview of password management methods.

Password Statistics shows some details on how bad password usage.

Password Strength shows some tips on making passwords difficult to hack.

We believe that OpenID Connect (yes using Passwords) AND with a Multi-Factor Authentication and or a Multiple-channel Authentication is the best Authentication Method available today (2016-07-23)

Do away with Passwords (Stated in 2006 by jim)#

The experts will continually tell you to do away with passwords and Password-based Authentication Methods.

Passwords are a secret that users use time and time again. This secret if discovered by someone else, then the users identity is stolen.

No way to know if the password has been stolen until it is used against you.

What are the alternatives?#

There are three basic alternatives to passwords available.

Reusable passwords to One-Time password#

Many token type systems(Ie RSA SecureID)

Multi-Factor Authentication that typically requires the token and a PIN


  • Many on the market.
  • Easy to integrate into existing systems.
  • Typically used in VPNs (RADIUS type systems)
  • Users understand the systems
  • Any machine or device maybe used.


  • Single vendor commitment as no cross vendor standards.
  • Requires software be utilized to accommodative.

Universal Authentication Framework#

Universal Authentication Framework stores credentials only on the local device and generates a Cryptographic Key to authenticate to the Relying Party.

Universal Second Factor#

Universal Second Factor is an Authentication Factor which enhances Password Authentication

PKI Systems#

Smart cards as in USB devices. Two Factor requires the device and a PIN


  • Very Strong
  • Cross vendor standards do exist


  • Not portable as each device must be able to read the certificate.
  • Storage of cert is a problem, must be securely handled
  • Users do not understand
  • Difficult to Implement
  • Requires software be utilized to accommodate.



  • Very Strong
  • Users do understand


More Information#

There might be more information for this subject on one of the following: