The first problem with passwords on the web is that passwords alone are not strong authentication. The second problem is that people have too many of them to remember.
Some people will reuse the same password on several different services, leaving all those services vulnerable if their password is compromised through any one of them. Other people use different passwords for several different services, but need to resort to writing passwords down or making heavy use of ‘forgotten password’ features because they are too hard to remember.
In the offline world, pretty good authentication can be achieved by combining a card with a PIN. This is an implementation of two-factor authentication. In short, this means that authentication is based not just on something a person has in their possession (like a key or card), something a person knows (like a PIN or password) or their own body (like a fingerprint or DNA), but on at least two of those three categories. The principle behind this is that it is significantly more difficult for an attacker to steal your identity if they need to both obtain something you have, and find out something you know. When your bank card is stolen, the thief cannot access your account unless they also know your PIN. If your PIN is guessed, overheard or intercepted somehow, the snoop cannot access your account without your card.
Online, however, strong authentication is a lot more difficult, because authentication has to rely almost entirely on something you know. This means that rather than just being one factor in authenticating you, your user name and password combination becomes the only factor. It becomes a lot easier for someone to steal your identity, as they only need to intercept your password somehow.
When we sign up for online accounts, we are told to create passwords that are “strong”, and unique. The general idea of “strong” here is hard to guess, but also helps with “hard for someone to see over your shoulder”. However, a strong password still does not protect against a situation where someone bugs your computer, or your ISP’s computer, and sees your password as it is transmitted. This is relatively easy to do – as easy as exploiting a bug on any software in your system or your ISP’s, or ISPs betraying your trust, etc.
In making passwords stronger, too, they are also made harder to remember. This is a good thing to a point. It means that someone who does overlook you typing your password is less likely to recall it or catch all the letters. But after a point, being harder to remember really detracts from security, because users are more likely to write them down in order to remember them. When the password is the only secret thing that can authenticate a person for an online account, having that password written down makes a less than ideal situation worse. It means that the password now becomes vulnerable not only to eavesdropping, but also to physical theft. Comparing this to two-factor authentication, we have gone in the opposite direction. Not only is there only a single factor, but there are two types of vulnerabilities for this single factor, and an attacker can choose either.
The number of accounts we need to authenticate ourselves (prove our identity) for is growing. It is not uncommon for someone to have a dozen different accounts or more for different online services, ranging in importance from online bank accounts and auction websites right down to simple blogs and discussion forums.
If we are to assume that people use different passwords for each, we are expecting too much for them all to be remembered. It is common practice for people to just write them all down, but as stated that detracts from security.
The alternative for users is to re-use the same password for multiple accounts, but this is putting all their eggs in one basket. If their one good password is compromised, then all these accounts are vulnerable. If your password is stolen or intercepted, it may not even be your fault – a company hosting one of your accounts may have let it slip through negligence.
A reasonable person probably uses a combination of the above – using unique passwords on only those very important accounts such as their online banking, while re-using a common good password for everything else.
OpenID is a distributed authentication mechanism which aims to let someone log in to accounts with several different companies, without exposing their password to those companies. The password is sent only to the single OpenID provider, which authenticates the person and then signals to the company that the person has been authenticated according to that OpenID account.
This helps cut down the number of ways that a password could be intercepted. However, it does not change the fact that if that one single password does get compromised, the attacker can gain (albeit temporary) access to all those accounts. In fact, it could make it worse: upon gaining entry to your OpenID account, the attacker might be presented with a nice little list of all approved providers – IE a list of where they can use this OpenID account. This would depend on the OpenID provider.
Educating users is something that does not work as well in practice as it does in intention. Most users already know that they should not write down their passwords, and they should be as strong and unique as possible. However, they will continue to behave in the way that is most convenient need to them, creating easier to remember passwords, re-using them, or writing them down, just to make it easier to deal with so many.