Password management

Home » Blogs » stu's blog
Published by stu on September 14th, 2006 in

Interesting article on eWeek about password management issues within corporations. I think it would be fair to say that similar issues affect the domestic market, although without the regular enforced password changes. Most browsers implement some form of login management although this doesn't entirely solve the problem of having to remember your details and so discourages good password policy. Browser systems are also occasionally disabled by sites. There are a good number of 3rd party tools which try to solve the problem too but these also run into the same problems.

In essence, the need to constantly provide usernames and passwords for each and every site you want to register with, and to manage each of those identities independently, means that most users tend not to bother setting secure passwords (if they even know what those are in the first place) but rather ones they can remember (often the same across multiple sites).

In the long run, I can't help but think that some form of federated identity management is the best approach and I've been looking into some of the options open to developers of smaller sites. Obviously there's Microsoft's passport system but it is linked very tightly to Windows and .Net and its high implementation costs don't make it a particularly viable option in many cases. There are various other systems which tend to be linked to one language or another and some which are obviously targeted at intranet environments specifically.

As far as open identity management schemes go, the Liberty Alliance Project promises much but I can't help feeling that it has been aimed squarely at the big boys and is therefore lacking implementation in the languages of the popular web (ie: PHP, perl and ASP/VBScript). More promising for smaller sites is something like the OpenID project - the sxip project's implementation being my focus due its support of PHP.

I'll try and post more later, once I've had a chance to play around with the idea.

As a footnote, I wouldn't be overly surprised if Google started pushing its federated identity system outside its own borders eventually. It currently works with or without a GMail account (although the GMail-based system is slowly usurping the older system as evidenced by the recent Blogger Beta changes) but is so far limited to Google properties. Remember, you heard it here first - unless you heard somewhere else.

EWeek article: Password-Plagued Workers Burden Help Desks

Update: Within minutes of posting this article, my news reader updated my feeds and produced, by some bizarre coincidence, this article from ars.technica (Single sign-on by the people, for the people). Spoooooky!

Post new comment

  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <hr> <br> <br /> <ul> <ol> <li> <dl> <dt> <dd> <table> <tr> <td> <em> <b> <u> <i> <strong> <font> <del> <ins> <sub> <sup> <quote> <blockquote> <pre> <code> <cite> <strike> <caption>
  • Web page addresses and e-mail addresses turn into links automatically.

More information about formatting options

CAPTCHA
This question is for testing whether you are a human visitor and to prevent automated spam submissions.