Scientists estimate that the number of passwords in the world will exceed the number of stars in the Universe by 2025 and, critically, that all these passwords may provide the so called 'Missing Mass' required to prevent the Universe from expanding without end into cold nothingness.
Well... not quite but there are indeed a lot of passwords out there. In fact, they are so popular, they even have their own day!!
World Password Day is an initiative that encourages end users to up their game with respect to the passwords they use for online services. Specifically, people are encouraged to:
Create strong passwords
Use different passwords at different sites
Get a password manager
Turn on 2FA or MFA
The list could have been shorter - you get the first two items for free if you take advantage of the various password managers' ability to generate passwords as opposed to simply remembering the ones you pick.
And ideally the recommendation to use multi-factor authentication (MFA) would have guided users away from the SMS model instead of appearing to bless it as the norm (see screenshot at right).
There are of course corresponding best practices for the web sites and providers that users will log into. A recommendation that the user 'turn on' MFA is of little value if the provider hasn't provided that capability to them. And while consumers may not yet be aware of the FIDO Alliance and the MFA model it enables, providers should not only be aware, but designing it into their authentication platforms.
A more fundamental objection to the premise of World Password Day is whether or not relying on users to practice good password hygiene is even realistic - how has that been working out for us? Consider an alternative. Instead of asking users to pick strong and unique passwords (for which there is little historical precedent that might give us hope they actually will), let's acknowledge that ship has sailed. Let's not make policy based on that assumption, but rather let's assume that users will continue all the same worst practices, ie reuse weak passwords across multiple sites, and put in place compensatory mechanisms to mitigate this (sad) reality. Compensatory mechanisms like contextual authentication and Machine Learning based real-time anomaly detection of those contextual signals. Rather than trying to turn passwords into stronger authentication factors with the help of users - treat passwords as an inevitably weak factor but supplement accordingly.
Let's stop pushing this 'password best practices' rock up the hill of Mt Improbable - we don't seem to be getting closer to the peak.