Cheswick himself offered up some alternatives:
- Passmaps. Users pick a geographic location special to them─like a small lake in the Adirondacks. Zooming way in on Google Maps, the user copies the latitude and longitude. This creates a long password, difficult to guess, that the user doesn’t have to memorize. Mine might be 40.730487,-73.984431.
- Passgraphs. This one’s not exactly user friendly for anyone who hated math class. It requires you to zoom in on a particular point in a Mandelbrot set and use those coordinates as your password─basically, the same idea as passmaps above, but it doesn’t require any interaction with a map service owned by Google or Microsoft.
- Passwords transmitted in plain sight. Baseball players, Cheswick notes, use passwords all the time: they take elaborate signs from base coaches in full view of their opponents, fans, and TV viewers. They look complicated, but hey, if dimwitted jocks can use them, there must be an underlying simplicity that anyone can master, and that would obviate the danger of bad stuff like malware and keyloggers.
Even in a best case scenario these solutions are all impractical today, and quite possibly for the foreseeable future but Cheswick says it’s still a problem worth thinking hard about, and I’m sure your users would agree. As the recent Hotmail phishing attacks reminded us, for far to many users “123456″ is still the last line of defense.
[kml_flashembed movie="http://www.youtube.com/v/K95SXe3pZoY" width="425" height="350" wmode="transparent" /]
Fortunately, for those that still must deal with passwords, both as administrators and users, the ITKnowledgeExchange forums have plenty of advice: