Passwords are in the news thanks to Gawker media, who had their database of userids, emails and passwords hacked and published on the web. A big part of the fault is Gawker’s, who was saving user passwords (so it could email them) and thus was vulnerable. As I have written before, you should be very critical of any site that is able to email you your password if you forget it.
Some of the advice in the wake of this to users has been to not use the same password on multiple sites, and that’s not at all practical in today’s world. I have passwords for many hundreds of sites. Most of them are like gawker — accounts I was forced to create just to leave a comment on a message board. I use the same password for these “junk accounts.” It’s just not a big issue if somebody is able to leave a comment on a blog with my name, since my name was never verified in the first place. A different password for each site just isn’t something people can manage. There are password managers that try to solve this, creating different passwords for each site and remembering them, but these systems often have problems when roaming from computer to computer, or trying out new web browsers, or when sites change their login pages.
The long term solution is not passwords at all, it’s digital signature (though that has all the problems listed above) and it’s not to even have logins at all, but instead use authenticated actions so we are neither creating accounts to do simple actions nor using a federated identity monopoly (like Facebook Connect). This is better than OpenID too.
However, for now we are stuck with passwords, and we are going to be using the same one over multiple sites. The big exception will be sites where your account has real powers, such as at your bank. I use a different password for each site that can spend my money or do other powerful actions. There are only a few that can spend money but a growing number that can do other things (like buy items with pre-stored credit cards and get them shipped to thieves houses.) While you aren’t liable for such credit card charges, it’s a lot of work to fight them and you would rather avoid it.
The “high security” sites take various steps to try to increase security. Some of them deliberately screw up the login procedure, blocking the saving of your password by password managers. In doing so they screw up two things. First, by blocking password managers they encourage people to use the same password as they use elsewhere, and secondly, it turns out that the filling in of the password by password mangers (including the one built into most browsers) is a good anti-phish technique. If I go to a site and it doesn’t auto-fill the password, that is a sign I should check if I am really at the site I think I am at, since the password manager is very hard to fool with a phish.
The second thing they do is timeout your sessions, forcing you to login again if you wait too long to take an action on the site. This is quite annoying when at your own private computer at home, even though it might make sense if you are crazy enough to log in to your bank at an internet cafe.
In a similar effort, they will sometimes ask you to re-enter your password when doing certain actions. This makes more sense than a timeout, and can defend against session hijacking tools like Firesheep — though the best defence there is just to use an SSL/TLS session at all times, and all sites should be doing this. (Note: If we are on an SSL session and I just logged in 30 seconds ago, it is not necessary to ask twice.)
I propose something even stronger. The bank should indeed ask for a password again when doing something “big” like a money transfer to a stranger’s account. But this should be, optionally, a different password than the main login password. That’s because I am much more worried about somebody transferring out my money than I am about them seeing my bank balance. (Not that I want them to see my bank balance or other data, but simply that I want even more security on the money transfers.)
A better example might be my frequent flyer account. No, I don’t want people to be able to see my FF balance and the log of trips that earned miles which you can see if you get into that account, perhaps by coming up to my computer while I am away. But I really don’t want them spending my miles, and that should require the second level of security.
The idea of two levels makes sense for password managers or digital signature authentication systems. With most password managers run on other than very private machines, you need to enter a master password to get at all the passwords. Typically you enter it once at the start of a browser session, and perhaps once a day after that. The password manager should understand the concept of deeper levels of security, and require another master password (or passwords) for access to those.
That becomes important because while I log on to the airline site frequently, I only book a trip with miles quite rarely, perhaps once a year or less. I won’t remember a password I use that infrequently, especially if it’s different for every such site.
In the long run, I believe that we need to move to a hardware token for authentication. This token would probably be your mobile phone (or rather a secured and walled-off segment of your mobile phone) combined with a small thumb-sized USB device that you always carry with you.