Guild Wars 2

While I concede that keyloggers are the typical method of acquiring passwords, I still argue that they are easily defeatable/removed/bypassed and that password strength is still the end goal which we strive to achieve. The two- or more factor account authentication is an unimaginative, wasteful and hasty fix to the problem, and that it not only takes the power of privacy out of the user’s hands, it too readily becomes a nuisance and a hindrance to accessibility, and will soon be circumvented by the “clever hacker”.

The example of your bank leads me to think that the system was overly-complex, poorly implemented, and not easy grasped by their clientele, and it was not a factor of security. Hence, they went the easy route and simple added an additional, electronic factor for account access. I feel that rather than dumb down the user and distribute electronic toys that get lost or broken, we make the password system more amenable to the human thought processes and less amenable to brute-force cracking algorithms by using passphrases. Two birds, meet one stone. :-) Of course, you will still have keyloggers, and that will always be a threat, though a minimal one in my opinion. Then again, accounts will always be compromised in one fashion or another. It is my belief that a proper implementation of a passphrase system will much reduce these instances of account hacking…and vigilance against keloggers and other malware will only get better. How could this be a bad thing?

Keyloggers are incredibly easy to eliminate and bypass. Also, your theory of adding an extra field ignores the degrees of entropy a passphrase would have over a password. Having four separate fields, with four, random, simple words would defeat any brute force decrypting software for the next two decades, if not beyond…at least until quantum computers are available. Additionally, as the passphrase would be made of easily memorizable, simple words, it could easily be unique, even self-referencing, thus eliminating the possibility of password cross-pollination, so to speak.

Authenticators are nice, but ultimately unnecessary, wasteful and only serve to hamper easy access. They can be lost, or buggy. Apps are unable to be transferred to new devices sometimes. I appreciate having a Devil’s advocate, but “random phrase” ignores the depth of a passphrases strength. :-)

This has bothered me for a long time, and I’ve mentioned it to many, many people in positions of high authority at software development only to be ignored. Why are we trying to create and remember horribly long, complex passwords that, with today’s technology, are really meaningless?

I write this now after I read the recently posted article on Account Security by Michael O’Brien. Why have a single password? Why not a passphrase? It is incredibly easy to memorize a random series of four, simple words, and that will be a much more effective password than an 18-character long, archaic password, no matter how many letters you switch to numerals. Honestly, this has bothered me for a long time. The strength of a passphrase, even one using simple common words, would be much greater than any current hacking software could reasonable break or solve. It would be a simple, easy fix and protect your gaming population. Also, it would be innovative and trend-setting (I hope).

Just a suggestion, but I see no reason why this would not want to be done. Thank you for your time. :-)