On Wed, Jul 29, 2015 at 2:15 PM, Warren Young <wyml at etr-usa.com> wrote: > Just because one particular method of prophylaxis fails to protect against all threats doesn’t mean we should stop using it, or increase its strength. Actually it does.There is no more obvious head butting than with strong passwords vs usability. Strong login passwords and usability are diametrically opposed. The rate of brute force attack success is exceeding that of human ability (and interest) to remember ever longer more complex passwords. I just fired my ISP because of the asininity of setting a 180 compulsory expiration on passwords. Now I use Google. They offer MFA opt in. And now I'm more secure than I was with the myopic ISP. Apple and Microsoft (and likely others) have been working to deprecate login passwords for years - obviously they're not ready to flip the switch over yet, it isn't an easy problem to solve, but part of why they haven't had more urgency is because they are doing a lot of work on peripheral defenses that obviate, to pretty good degree, the need for strong passwords, relegating the login password to something like "big sky theory" - it's safe enough to tolerate very weak passwords in most use cases. The highest risk, by a lot, is from a family member. I'm not arguing directly against strong passwords as much as I'm arguing against already unacceptable usability problems resulting from stronger password policies, because it doesn't scale. Making policies opt out let alone compulsory is unacceptable. Even as the policies get stronger people's trust in password efficacy relating to security continues to diminish. -- Chris Murphy