PINs, passwords and a feeling of high-tech disconnect - Los Angeles Times

Steve Lopez wrote a good column on Sunday complaining about the requirements for passwords.

PINs, passwords and a feeling of high-tech disconnect - Los Angeles Times:

I concur with Steve.  It does seem that there are far too many things now that require passwords.  There are some technological solutions when surfing the internet, such as using Roboform, keepass, last pass etc so you only need one password.  However that doesn't seem to solve all of the other password-protected situations, such as pins at banks, computer log-ons, voicemail services etc.  Because hackers can break simple codes, we are instructed to use very long complex passwords with upper/lower case, numbers, and symbols.  We're also told to use a different password for each occasion so that if one gets compromised all of our other accounts will still be protected. All of that makes it extremely difficult to keep track of.  The experts also suggest that we not write down the passwords because if someone finds the note, everything will be compromised.  To add insult to injury, many sites also require the passwords to be changed every 60 to 90 days.  Nobody has ever been able to explain the value of frequent password changes to me.

It seems to me that one of the best techniques is the "token" device (typically made by RSA) that generates a 6-digit code that is added (concatenated) to a fixed PIN when loggin on.  Several companies now use apps that run on smartphones that also generate 6-digit codes.  Google has their "authenticator" app, for example.

I would like to see ONE system become somewhat standard for all log-ons using some sort of a token or smartphone app.   I had hoped that RSA would have made their token technology free to all other applications, so that if someone had a token (such as from their company, or E-Trade), that they could then use that token when signing on to many other websites.  I even bought stock in RSA (which got bought out by another company).  However RSA refused to share tokens issued by one company with other companies -- so many users ended up having to carry multiple tokens on their keychain -- what a mess!  RSA also seemed to get "greedy" and began to gouge users on the price for their tokens.  They tried to emulate Gillette who famously: "Gave away razors and sold the blades." --They wanted to make a lot of money by charging high prices for a couple dollar token that needed to be replaced for new batteries every couple of years.

Because of RSA's marketing tactics, the token industry fragmented and there appears to be no really easy solution.

'