Biometrics, take me away!

Passwords are a real pain. Every program that your company "lets" you use for your job requires a password. I get that, and I'm fine with it in general, but sometimes the IT folks, in their diligence to be measured favorably, don't seem to give a hoot about usability. Let's face it, without me doing my job, we really don't need them, so it does matter a little bit about how easy or hard it is to do my job. Requiring me to change my password "periodically" seems innocuous...at first. Until you read the fine print.

Let's see...I have only a small number of corporate accounts requiring password authenication. They are:

1. General corporate Internet access account.
2. My computer's workgroup account.
3. My company's email client account.

--> Each of these accounts requires me to use a password, and change it "periodically". What really does that mean? Here are the rules:

1. You need to use a "strong" password. That usually means something difficult to guess. The IT folks define "strong" as having both letters and numbers, not using any known or easily guessed names, words, or phrases. A password like "b42wd3fg" is considered "strong".
2. You must change your password periodically. For the IT folks, periodically means every 90 days.
3. You cannot repeat the use of a password for a "while". This is where things get interesting. For our wonderful IT folks, that means NEVER. But they are more reasonable than that. They'll let you repeat a password, but only after you have used FIFTY other passwords. Yep, that's right. No repeats until after 50 unique passwords have been used.

--> Now if you combine these three rules, over the three separate accounts I have, you begin to see the issue. This "simple" procedure mushrooms into an unGodly mess.

Every 90 days I'm forced to come up with a new, unique, strong password, that has not been repeated in less than 50 sessions, for each of my three accounts.

Sure, I could try to use the same password for each account. Problem is the 90 day renewal cycle is not synchronized, and eventually will "beat" against each other mercilessly.

Bottom line: Anybody who thinks this is the best way to safeguard our security is an idiot. Here are two better ways:

1. Dongle. Use a USB-key as a physical dongle that needs to be inserted into the USB port of the computer you are trying to access. The key generates a random, rotating key that cannot be copied or subverted. Add to it a simple, easy to remember password that I don't have to change very often and you have GOOD ENOUGH security unless you are in charge of nuclear weapons.
2. Biometrics. Please, PLEASE, someone get this right. If the USB dongle alone is not enough, add a simple fingerprint scanner to the USB key itself. I've seen these things in the wild, but they dont' really work well enough or correctly yet. Here is just one example. There is no reason this could not work extremely well if someone really wanted to perfect the technology.

---> Combining #1 and #2 above would provide a robust and secure AND simple-to-use system that would provide acceptable security for 90+% of the world's applications.

Why is this not done today? Simple. The IT folks are not measured on "simple-to-use" so they don't care. No one is sufficiently motivated to make this problem go away. As with most things, wherever there is a "loose connection" between a problem and a solution, it does not occur.