I just read another article about how passwords are not safe because they are too easily cracked by “offline means such as custom-built password cracking hardware and software.” This article, along with the scores of similar posts around the echo chamber of information security, still misses the point.
Premise: Password crackers exist to break encryption.
Suggested Response: Create more complex passwords that put the onus for security of the password on the end user.
Reality: Technology in general, and in this case password “breakers” specifically, will continue to improve creating what a friend of mine calls the “shiny red button problem.” It's also colloquially known as an arms race. Meaning that continuing to force users into making longer and more creative passwords is the wrong thing to do.
I can hear a lot of my peers in the information security industry screaming right now “Exactly! We need to implement passphrases/multi-factor authentication/single-sign on/technology du jour and we need to do it now!” With all due respect to my peers, they're also missing the point.
Let me ask a hypothetical question: when bank vaults and safety deposit boxes are robbed does the bank, the FDIC and the government come out and say “Well Mr. and Mrs. customer, the keys you use to lock up that safety deposit box are insecure so here's a more complicated, too heavy to carry around, one time use only key to use next time”? No, they (as well as customers) demand that the BANK do a better job of protecting the vault and safety deposit boxes.
And therein lies the problem. When a password database is stolen or leaked, the people that are punished are the end-users, when those that should be held accountable are they that are trusted with that password database in the first place. There are better quality encryption mechanisms that can be used on that password database. There are controls and procedures that can be put in place to protect that password database. But there's no incentive for the responsible party to implement stronger mechanisms because they know that what's going to end up happening is the outcry will be against passwords themselves or the users that choose “poor” passwords (and usually both), and not on them. That's not always true of course but in a majority of cases it is.
Do we need “better” passwords and more sophisticated identity and access management systems? Yes, but not because passwords themselves are inherently less secure but because the way that systems and users interact has changed over the years. Passwords have been used for decades, and there are who knows how many millions of them in use today without incident.
In the long run it is cheaper and more effective for companies to focus on improving their password storage and usage rather than forcing users to choose “more complex” passwords. The former results in much happier users, which translates into more loyal customers; the latter results in failed login attempts, frustrated users and insecure workarounds that cause more harm than good.
If you're a company that has end users of any sort, do the right thing and do a better job of protecting your password repositories and quit blaming the victim.