Slashdot Mirror
Ask Slashdot: Convincing My Company To Stop Using Passwords?
gurps_npc writes Any password policy sufficiently complex to be secure is too complex to remember so people write them down. Worse, company policy is to leave a message on your answering machine describing it — when the software uses a 6 number password to get your 8 letter/symbol/number/capital/no dupes (ever) real password. I want to suggest a better method. I want to go with a two factor system — either token based or phone based (LaunchKey, Clef, Nok Nok). Does anyone have any advice on specific systems — or points I should bring up? Or alternatives such as graphical based passwords?
Your system will be breached. Do you get enough out of this to take the fall when that happens?
Oh man, that's peanuts compared to my job. Our Cicso IP Phone VOICEMAIL has to be a 7 digit or longer password. And they block repeating numbers, obvious guesses like 867-5309 (or your own phone number). They block patterns like pressing the keypad diagonally or all the corners twice or whatever. AND you have to change it every 30 days. You better believe everyone keeps a post-it with their voicemail password right on their phone. It's a self-defeating system it's so complex.
As soon as you succeed with the paperless office, and don't forget to get rid of the fax machine too, then it'll be time for the password-less office. Just sayin'
Have you considered how much it will cost your company to implement and manage such a solution?
You'll need to be able to convince management that the likelihood and impact of your company's IT infrastructure is high enough to justify such an expense.
Deal with reality - the world as it is - rather than ideality - the world as you would like it to be.
Anything you do that adds an additional step to an existing process they "appears" to be working perfectly fine will potentially earn you some enemies. Some of the people most likely to be frustrated by the process may also be in positions of great influence.
A noble cause, but its success depends a lot on the existing culture of your workplace.
Certainly coming to the table with a well thought out argument in favor of this isn't bad.
But if the culture is right, you should be able to bring this up casually with superiors and discuss it with them candidly and THEN discuss putting together a formal document proposing a solution. If anything they are better equipped than we are to evaluate the user needs of the workplace and give you ideas of how to pitch this to the rest of the business.
Figure out how much time and effort tech support spends on dealing with forgotten or compromised passwords.
Factor in the time lost by employees while they wait for tech support to deal with password problems.
Find some research discussing the cost of a compromise.
Figure out how much a token based system will cost. Assume people will lose their tokens.
Make the case that your solution is cheaper than the existing solution.
Then prepare to deal with "but we won't get compromised, so this is a waste of money"
[Fuck Beta]
o0t!
use u2f, its the best authentication token on the market. Either as second factor, or as lone factor. It doesn't enforce any lock-in at all, and its experience is just like keys: you have cheap tiny things you stick into holes (please spare me with any childish dick/buttplug/etc comparisons).
If they only need to survive online attacks, the 8 character limit is enough for Passwords. However you would need to add some meaningful brute-force and weak pw recognition.
The reason I wonder if 2FA can be at least moved to the edge or used for VPN logins is that it makes things a lot less of a headache.
Usually for internal AD, having a third party authentication apparatus strapped on can bring about issues. For example, if the system is a challenge/response system and a Web app is authenticating from AD, it likely won't have a window to present the 2FA challenge. SecurID is the only one I know which gets around this since there is no challenge token presented... users just enter in their password and the number off their token, and it logs them in with the standard username/password box. However, the downside of SecurID is that it is not cheap, and requires at least two servers to authenticate the tokens.
Internal logins, I'd just stick with AD unless there was really a need for internal security (expensive). If so, I'd then go with CAC/PIV tokens because they are fairly standard, have a wide use with the US government, and work with most major applications.
Now the edge is a completely different beast. You can set up RADIUS servers to use the Google Authenticator, SecurID, smart cards, or one's flavor of choice. This way, users can log in via 2FA, but the internal network doesn't need to have any major changes done to it.
What ever happens!! Do not start your proposal with "Let's stop using passwords."
Besides, in every system I've seen with 2-factor authentication, passwords could still be used, but 2-factor authentication would only get triggered if the employee was accessing the network from an unknown computer, or an unknown ip address, or if the employee had forgotten his original password.
Not to mention that stabbing yourself in the eye with a pencil will probably be less painful and result in more real security. And at least the eye-pencil is likely to make it to completion.
My favorite part is having to change the password every 30 days.
A LOT of people will use base password+date. EG:
Slashdotnov2014
Slashdot1114
etc.
Gee. I wonder what it might be in December...
I even know people in IT with passwords like that. When setting up a new computer for you they'll ask for your username/password so they can log in and setup your profile, so they are well aware that people do that.
I would encourage users to write down their password on a piece of paper.
That paper should contain only the password, no hint to what it belongs to.
The paper will then be stored inside the persons wallet, and looked at when neccessary, but not taken out.
If that person manages to loose their wallet, they have bigger problems than the company password.
There are no atheists when recovering from tape backup.
I work in schools.
I'd be interested in any cheap, Windows-logon compatible system that I can supply my own RFID reader hardware for.
RFID readers are stupid-cheap. Nobody's going to go to the effort of copying an RFID tag just to get on a system as a child user. And I can buy tags for about 10p each.
Every logon system I see is stupendously priced (either per reader, per card, or per seat software licence) or doesn't work on Windows logon. Those are useless to me.
I've been looking since the XP GINA days, still haven't found anything vaguely suitable and in a school's price-range.
(Note: School in the UK refers to education up to age 18, in my particular case education up to age 13).
I used to work for an oil company that used smart cards to login to a PC.
Sure, you still need a PIN but you also need the card. It's not foolproof but it is somewhat more secure.
The real challenge would probably be convincing your company to purchase new hardware and update their security policy.
Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
For the same reason the TSA acts the way they do. If you take security to insane extremes such that everyone is always massively inconvenienced, you can never be blamed for not doing enough, no matter what happens. And there's an implicit assumption that if you've moved onto crazy extreme measures, you must have already exhausted all the less extreme measures.
You have a few challenges ahead of you; political ones, technical ones, and fiscal ones.
Are you just hoping to be the initial voice of inspiration and get everyone behind you? Or are you ready to be the advocate for the two factor auth you're proposing? Unless you've done your research and you know a lot of others in your department are on board with this proposal already, your proposal is going ground itself without much more than a candle flicker.
People tend to be really resilient to change, even really bright tech folk. "Good enough" is the motto that most people live by, so you're going to have to make a really enticing argument or get a lot of support across the board before even presenting this. Check with the necessary Systems folk; do they have ideas or wants or problems with a Two-Factor auth for users? Do the math for your accounts; are you saving enough money that it will make someone look good? Check with your Help Desk/Ticketing software; are password resets really enough of a problem that they're impacting people's work flow?
I promise you that most folks in a position to make a decision like this aren't staying up at night wishfully hoping that someone suggests TFA for the company, and few non-tech people in the company are even going to know what the hell you're talking about.
You're going to need to be prepared to really explain your idea and show that it already has support, else they're just gonna look at you like you suggested catapulting the ring into Mordor.
Complexity matters mainly if your attacker gains offline access to your hashes. Far and away the main source of password compromise is non-uniqueness (using the same password elsewhere). This is actually the main benefit of forcing a periodic password change. Graphical and gesture passwords are horribly insecure from shoulder surfers.
If you can, support as many factors as possible. Multiple factors gives your users flexibility- they may not always be able to receive an SMS or have a card reader handy. TPM-based virtual smart cards are super handy for remote auth from a domain-joined device- no cards or readers required.
So long, and thanks for all the Phish
What about using an openhardware password storage device like Mooltipass? http://hackaday.io/project/86-... Mooltipass is composed of one main device and a smartcard. On the device are stored your AES-256 encrypted passwords. The smartcard is a read protected EEPROM that needs a PIN code to unlock its contents (AES-256 key + a few websites credentials). As with your credit card, too many tries will permanently lock the smart card. The mooltipass main components are: a smart card connector, an Arduino compatible microcontroller, a FLASH memory, an OLED screen and its touchscreen panel. The OLED screen provides good contrast and good visibility. Unfortunatley this project is about to fail it's Indiegogo crowdfunding campaign.
Our company has been using Safenet for the last year or so since we implemented 2FA for VPN and it has gone quite well. Being software based that can be loaded on laptops or smartphones makes it convenient and we don't have to worry about the tokens being lost and having to get a replacement out causing downtime. The downside is it can be locked out requiring some back and forth to unlock the token.
My routine way of logging onto anything that I hit less than once a week is to automatically click on the "I forgot my password" button and reset via email without even attempting to remember it. That basically makes all passwords equivalent to my gmail password, but since anyone with the gmail could do that any time they wanted it's no loss of security. It's a little inconvenient, but not as inconvenient as trying to remember 100 unique passwords.
RSA SecurID is one of the standard 2FA methods that can be used, and it works well without needing a special dialog on the screen (which may be needed for some challenge/response systems.) It has been around for a long time.
Of course, there is one major problem: The cost. The keyfobs are not cheap. The seeds which are required for apps on smartphones are also not cheap. The RSA Authentication Manager servers are not cheap, and you need multiples of these at the core office and branches.
Then there is the concern about hacking. RSA uses their own algorithm to get the authentication server and the keyfob to work. Is it as secure as the open source Google Authenticator? Who knows.
RSA SecurID on the edges, either via VPN, Citrix, or both? Yes, this is a wise thing to do. RSA for every AD access? The return on security investment would be minimal compared to just setting a wise password policy [1].
[1]: There were /. articles about using 16 character passwords and having them valid for 6-12 months which gave more security than 8-10 character PWs changed monthly. xkcd.com/936 explains it better.
Indiana University switched to passphrases years ago. No cryptic symbols, numbers, translations, etc. Must be at least 4 words of 4 characters or more. A word is separated by a space or underscore. Easy to remember but at least 20 characters long. "Denzel likes silver haired ladies" for those Brickleberry fans. VERY secure and VERY easy for each user to remember.
The first step in trying to figure this out is to figure out what systems and services you're trying to secure. Are you trying to secure a web application? A specific file server? Are you trying to make it so people don't have to remember passwords for Dropbox? Are you trying to include your phone system, physical security to your systems, and the network AD login? Make a list of everything you're trying to secure, and then figure out what alternatives those systems support. Then cross-reference all those different systems to see what sign-on technologies and services support all of them (or the most, or the most important systems).
Maybe you don't want to go about it quite that way, but the point is, you need to know your requirements before you try to select a solution. Your biggest problem is going to be finding a single product/service that supports replacing all of your passwords, since there isn't really a universally-supported standard replacement for passwords. One of the reasons passwords have been so successful and stuck around for so long is, you don't need to support any particular hardware or software. It's just text entry.
So if you really want to pursue this, figure out what systems you want to secure, and then figure out what alternative methods support and are supported by those systems. I really wish that, instead of having 50 different companies trying to come up with their own clever little app with pretty animations to provide multi-factor authentication, there were a concerted effort to develop a set of standards that various developers could build from.
I'm going to go with narrow mindedness, or perhaps a lack of imagination. The requirements that led your IT leaders to the environment you describe could lead to far less onerous (and less costly!) setups.
Blocking "all" filesharing sites? If your company is like mine, both federal regulators and clients regularly perform third party security audits. "How do you protect our data from exfiltration?" is a stock question. I've also seen "demonstrate you block viral vectors" lead to similarly unnecessary restrictions. Hell, I could see the above two answers explaining ALL of the symptoms your leadership has created.
It doesn't have to go that way, though. Leadership at my company had the same silly knee jerk reaction. I argued against it; but we did the same thing, for a while. About 15 months. It took 12 months for me to accumulate comparative data and about a month to polish it into a pretty presentation. It took another 2 months to cross fiscal quarters and then we immediately ripped all that none sense out and replaced it with a properly architected solution. We moved the critical data and all the workflow that touched it into secured remote VM's running on in house Virtual Desktop Infrastructure. All desktops/laptops are basically dumb terminals for accessing the work VMs. You VPN in to do that, regardless of where you come from - including our "internal" office vlans, which only have access to the internet and our VPN server.
Have work to do? Use your VM. Wanna fuck around on slashdot? Use your local machine.
Problem solved, and with MONUMENTALLY fewer man hours spent managing the ridiculously complex filtering mechanisms the previous authoritarianism had required.
Propose a solution that lets them recover employee data after they leave the company.
I am becoming gerund, destroyer of verbs.
changing them all now... Post-1t.
if this is supposed to be a new economy, how come they still want my old fashioned money?
I can't believe I'm the first to remind everyone of this: http://xkcd.com/936
Write each new password on a separate post-it and keep them all posted around your desk. Let an intruder guess which one (if any) is the correct one! It will provide minutes of entertainment! MINUTES!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Its the solution that's been touted for decades to the 'single sign on' solution. It does work - I know police forces and similar that use them without fuss.
There are plenty around, and sure you have to remember a pin, but its usually way less complicated than remembering a huge long password, plus its the start of a single-signon solution that no-one can argue against once you're using them.
If you use Windows, Microsoft has a lot of resources about smart card login
With regards to the actual posted question, you should find out if the company has any sort of insurance policy relating to data/security breaches that might be dictating things like the password policy. If the company has insurance to cover problems from insurance company X, and insurance company X is saying "You must do passwords, and like this, or else no insurance!", then you have a monumental task ahead of you because you have to convince your workplace to address the insurance policy/company - as well as an internal political/technical/budgetary issues.
Beyond that, the field of the business was not specified. It is possible that, depending on the country, industry, business contracts, and local regulations, there might be some specific clause dictating this corporate policy. (There can be no end to the insanity when you have a situation where, in order to do business with government and/or company Y, your own business must get certified to follow practices according to standard Z, be audited, etc.) If something like a password policy change requires a (re)audit of to verify your company's power level is still over ISO 9000, or Sigma Mane Six or whatever, well... good luck.
What is the risk of continuing to use passwords?
What is the cost to the business if the risk of continuing to use passwords is realized?
What is the cost of implementing an alternate system? Be sure to include the costs in training, process re-engineering, systems re-engineering, etc.
What value, if any, is generated by replacing passwords?
Unless the money you are going to spend is either going to generate more money for the business than the dozens of other projects that are competing for resources, you practically have zero hope of your change being embraced.
While some organizations are risk adverse to the point where they will act on them, more often than not unless you or your direct supervisor are liable for mitigating the risk, you are doing your career a disservice by raising the risk.
The same company blocks web access to dictionary.com, archive.org and anything related to computer security (hacking) and 3D graphics (games), as well as anything deemed to be file sharing (dropbox, google drive, pastebin - but not gist.github.com or thousands of other similar sites).
Why are such douchebags in charge of IT at such large companies that employ technically competent staff?
It, like everything else, is about breaking even in terms of time versus exposure.
You can block the top 10 file sharing/storage sites (drive, dropbox, whatever) in 10 minutes, and prevent 95% of your employees from transferring files. Or, to get to 99%, you can spend a couple hours a week adding new sites to the list. Want 99.5%? Just hire a full-time guy to review every TLD visited by employees.
No, it's not too hard. I'm really sorry that you can't figure out how to train users on how to use strong passwords, but this is not an overly complex thing to do. It does take persistent training because nobody walking into the company will have received such training but passwords are not "bad" or "too hard".
14 years ago I implemented a full Unix based LDAP system enforcing complex passwords with aging, history, and controls on admins that could change passwords without being "Directory Admin". I have since set up and run this system at numerous other companies. Linux used to suck a bit at it's PAM LDAP configurations, but today it's not so bad.
Around the same time, I developed some methods for users to generate "STRONG" passwords with reasonable lengths. I still teach these today, and amazingly we use passwords very effectively. No, you don't pay me so can't have my methods. I'm telling you it's possible if you actually stop and do the work.
2FA is still going to require a password for any reasonable system. If you go with the average 4 digit pin shame on you, but many people seem to believe this is protection somehow and better than a strong password.
Certainly I'm not against 2FA, nor even 3FA and locks on doors. I'm against it for the common user because it does not save anything and adds a huge amount of overhead and work to reissue all the devices to users constantly. If you are in a small shop, maybe not a big deal but in a company of reasonable size it's a full time job just dealing with the Token/Badge/Whatever you have for the 2nd factor.
-The wise argue that there are few absolutes, the fool argues that there are no probabilities.
Verisign VIP is one ( commercial ) system that uses soft tokens, and the same token works on your ebay and paypal and other accounts, making it useful to users outside of work - since they start to introduce the same security to their outside-of-work use - Soft tokens are free and work on phones and PCs, hard tokens can be ordered ( they even have credit cards with the hardware token built in, and can print name badges with them ) -
Generally, it's a pretty good system - you can download and try it too -
GrpA
Enjoy science fiction? "Turing Evolved" - AI, Mecha, Androids and rail-gun battles. What more could you want?
I've generally come to the conclusion, that it isn't IT that is doing this, but Clueless Executives demanding IT do this, even after repeated cries from the IT department not to do it.
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
LaunchKey is capable of removing the need for passwords entirely in your system, so if that's a goal then it's a great solution. It's BYOD so the cost is low or free depending on implementation while simplifying the user experience and greatly increasing security. As far as points to bring up: Removal of passwords relieves the company of a liability of holding onto hacker bait and makes it much more difficult to impersonate another user using their credentials. Dealing with people forgetting passwords and resets can be surprisingly costly and there are alternatives that are easier to use where that will never be a problem.
if you're giving your users a token, get the thing jabbed inside their hand so they don't lose it.
Retinal scan and voice confirmation.
What is the exposure?
If your company was ever hacked, what would the consequences be?
If the consequences could be serious, follow the advice of educating your decision makers as brilliantly outlined by Captain D, above.
Otherwise, what difference does it make if your company's machines and network(s) were actually compromised?
I mean, what difference will a few more zombies in some bot-net actually make?
First understand your position in the company and whose turf you're going to piss on if you make a move like that. You don't want your efforts to fail because you rubbed some manager the wrong way and he sabotages everything just because he can.
Secondly, make sure your system is really better in all regards, especially the failure cases. People leaving the company or getting ill for a long time? Password sharing (no matter what your policy says, people are doing it, especially bosses and secretaries)? Password recovery?
Third, make sure of user acceptance. People don't like change, and if the new system is not considerably more easy to use than the old one, you will face resistance.
Fourth, pack all of that research into a presentation and make your case. Good luck, you'll need it.
From my experience, #1 is the most important. Also take into account decision factors you may not know about. I've had a real-world experience where we (the security department) wanted to introduce an identity management system and were totally stonewalled. Three months later the company was sold - management already knew it would happen and they didn't want to commit to anything major or expensive just before the sale.
Assorted stuff I do sometimes: Lemuria.org
This is not three-factor authentication. Username is not a factor because it is not considered secret.
A username is not a secret piece of information.
A stored hash is not a secret piece of information.
A password is a secret piece of information.
A salt is not a secret piece of information.
An RSA clock's seed is a secret piece of information, but the user doesn't know it, and it lies exposed on the validating server.
The only thing RSA clocks prevent is remote, delayed attacks. An attacker acting at the same time a user is doing shit will be able to sniff/MITM and use the output of the RSA clock just as the user would. Note that this attacker can be fully automated software that is always awake and watching the compromised boxes.
Actual two-factor security would be you going somewhere, someone verifying that you look like you and are behaving normally, and the system verifying your password/pin/etc.
Very long passwords are very easy to remember if you use mnemonics.
For example:
412a7YaoFbfotCanNciladthptaMace
Completely impossible to remember that password right? Wrong:
""Four score and seven years ago our fathers brought forth on this continent a new nation, conceived in liberty, and dedicated to the proposition that all men are created equal.""
You just have a set of rules for turning text into a password.
In this case, all numbers are written as numbers and all words are lower case except nouns which are capitalized.
Substitute that quote for any other and you can generate another very long password that is impossible to forget. You can even write the quote down prominently and no one is going to break into your system unless they know the system by which the quote is turned into a password. The system I cited above is very very simple but you can use a much more complicated one.
The system usually should not change. You can keep that static. The quotes or text strings should change every so often. And when you do, you can put a sticky note on your computer with the quote right there. No one will break in.
You can make the password as long or as short as you like.
The downside is that the decoding process does take a moment. But you will not forget the password.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
"Any password policy sufficiently complex to be secure is too complex to remember" is not a universally true statement. https://www.schneier.com/blog/...
with smart cards, they can be used for building, room access, log into system, and digitally sign emails. Seems stupid not use them. Wonder if it would have helped Sony?
I've found that there's a sweet spot to balancing system security and job security: recommend better practices than currently in place without becoming adamant about it.
If you get the attention of a caring boss, you'll get your implementations, so make sure it's really a good idea and will work well before recommending it. But, more importantly, if they decide not to do it, then you are basically off the hook for responsibility for *any* breaches that occur afterwards. "I recommended a two-factor authentication to prevent data breaches over two years ago, and every quarterly IT review ever since!"
What's odd for me as a developer is how many times I've talked to a tech guy who really "needs" us to add security feature X in our software, and we send over the information to turn it on after we write it, and they *still don't do it* even after they paid for the modification.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
XKCD already did a better job on just this issue.
http://xkcd.com/936/
What is it that you are safe-guarding? I'd bet that it's not something vital enough that it needs anything more than a normal password, but if it is, stop keeping in a place where it's so easily accessible with the password. Door locks are still the safest devices around, and it's not because they can't be picked, it's because they need to be picked -- in person.
That big importal vital data store? Air-gapped, in one room, with an attendant, and a lock on the door will do better than any 2-factor authentication system -- because it's got many more factors, including the biggest one: presence of person.
You aren't going to blend convenience and security and wind up with anything more convenient or more secure than a password. I'd recon that's why we have passwords.
FIDO alliance 2-factor hardware tokens, like YubiKey Neo.
Until browsers roll out FIDO protocol support, a mobile app with normal OATH TOTP 2-factor (implementations include Authy, Duo Mobile, Google Authenticator, etc) is the way to go. And use a password manager for the 1st factor. When support gets baked in, the FIDO serviceclienthardware token protocol will dramatically improve usability of the 2nd factor.
Employees get paid thousands of dollars every month, right? For that much, they can remember 8 characters of which one needs to be changed once in a while. If worst comes to worst, write down 4 that you change and remember 4 that you don't. That's kind of like two factor authentication - a post-it that you have and 4 characters that you know. Simpler passwords are unfortunately very vulnerable to dictionary attacks that consider what people most frequently used.
There is obviously room for improvement. A USB device in addition to a password is better than a password alone. But the premise that current situation is horrible may be flawed. If you are saying there is a master 6 character password that encrypts users' 8 character ones, then yes there is a problem.
That's two factor authentication, what you know and what you have.
You said:
password, and an 8 digit numeric password
That's precisely the same as saying:
All passwords end in 8 numeric digits.
So that's one factor, the password.
User names aren't secret, their NAMES. Knowing your name is not a security factor. Even if they WERE secret, you could equally well describe that as:
All passwords follow the form "name:letters:digits"
Knowing the string is one factor. Having the token is the second factor.
According to your math, passphrases are a thousand times more secure and, unlike 10 random characters, users can remember their passphrase. Sounds like a win to me.
'Authorised devices' (with a certificate/token authentication), with a -backup- password or other method. Every device has its own MAC address, why not take advantage of that? Of course, that doesn't eliminate -stealing- the device... but at least you can't do that from a distance ; ).
No, no sig. Really.
ThePromenader
http://xkcd.com/936/
And you don't think the other methods won't have the same problems? you don't think you will see printed images on monitors for the graphical 'passwords'? also with 2 factor, how many people will loose their account for the token.. (yes 2 factor is slightly more secure ofcourse, but it certainly isn't as safe/monkeyproof as some people seem to think)
Keep your passwords with the other important pieces of paper you carry around daily: in your wallet
The best typed password system I've seen so far uses all characters and encourages sentences. A standard password would be something like: "What? Stop looking at my damn password!"
It is easier for the human mind to think in terms of typical language useage. Sure, that password could be shortened to: W?Sl@mdp! but you get a much longer and easier to remember password by letting them type it in plain English. Get away from the 6-12 character passwords permanently and go to sentences.
Deploy two factor authentication. Now if you're dealing with the Unix/Linux world I recommend setting it up so a min of 12 characters - and explain how to compose passwords. But better yet - ssh keys with passphrase. That's much better.
It's a shame that an AC had to post the most correct answer to security that I have seen in this thread. When I implement new systems, logins within one second of each other are not allowed. Three unsuccessful attempts leads to a locked account. Cracking even something as small as an 8 digit password would take millions of years. All passwords are sha-512 hashed and salted. Changing passwords every XX days is a surefire sign that the person in charge of policy never took a statistics class.
If you are not allowed to question your government then the government has answered your question.
I use Lastpass. I get it to auto-generate random 16+ character passwords with a mix of alpha, numeric, upper / lower and special chars. The passwords are totally impossible to remember. Each password is totally unique to the site. I Then let it log me into everything after I give it my very long, easy to remember pass-phrase.
XKCD: https://xkcd.com/936/
All those moments will be lost in time, like tears in rain.
I've yet to understand this mentality of stopping the use of passwords.
I understand all the flaws, but here's the question.
If improving security is the goal, why not ADD to the security process.
Add a token generator (like the RSA keys most work places have for VPN)
Add fingerprint/iris scan (for convenience)
People are already used to passwords. As long as the second authentication method is easy and convenient, they will accept it.
if you have a system that lets IT people reset your password on the basis that you know the last 4 digits of your SS number and the month and year of your hire, you might as well use the last 4 digits of your SS number and the month and year of your hire as your password. if you have a system that lets you reset your own password on the basis that you correctly answer some question like your mother's shoe size, then you might as well just use your mother's shoe size as your password. Etc.
Star Trek transporters are just 3d printers.
The place I'm currently at makes me use a 20 character password with characters from at least 3 of 4 groups (numbers, lower case, capitals, punctuation), and to change it every 45 days, and the last 30 passwords cannot be reused. Clearly everyone uses a 'password system' that makes this more insecure, even though it is explicitly denied. Worse, for remote access we have to use three factor authentication (password, pin and RSA token code) anyway. Why can we not just use two factor throughout?
The same company blocks web access to dictionary.com, archive.org and anything related to computer security (hacking) and 3D graphics (games), as well as anything deemed to be file sharing (dropbox, google drive, pastebin - but not gist.github.com or thousands of other similar sites).
Why are such douchebags in charge of IT at such large companies that employ technically competent staff?
CYA; for instance, if you work at a healthcare related company, with the healthcare information privacy protection act they can be seriously damaged if they let private healthcare info out to the wrong people; even leaving a message on somebody's voicemail can be questionable. So, if you set up insanely difficult security, when the inevitable leaks happen, your lawyer just tells the court that the company has done everything possible and they're off the hook. Otherwise, they're screwed, even though whatever they failed to do had nothing to do with the leak.
Star Trek transporters are just 3d printers.
Passwords are commonly used because they have a lot going for them -
* people understand them
* they're reasonably easy to implement (especially if you are savvy enough that you only store an md5 or whatever, not the password)
* most password interfaces are accessible
You mention phone-based - Google wants me to give them my mobile phone number to enable 2 factor security via SMS, but (1) I don't have a mobile phone, (2) if I did, there's no reception where I live, (3) when I did have one, SMS messages were not free to receive.
Picture-based systems don't work for people who can't see the pictures. So you need to research an alternative that works for blind users, and possibly also a low-bandwidth alternative that does not rely on audio or video as a fallback for blilnd users.
So your replacement should start out being accessible and should not cost money for the end user, and should not rely on unreliable external systems (phone netowrk) unless those are all Ok and a given in your environment - even then, locking out even a single blind or mobility impaired employee because they couldn't see the picture or didn't react quickly enough can open your company to a painful law suit large enough to make reverting to passwords seem like a win.
I don't want to put you off from innovating - but innovat to solve real problems that you've measured, with solutions that have been tested, and that introduce as few new problems as possible.
Live barefoot!
free engravings/woodcuts