Cisco switches to weaker hashing scheme, passwords cracked wide open

Eventually we're going to have to find something better than passwords. Forget length and randomness, the human element involved is the problem. Biometrics and face recognition is fine (but also extremely fallible) for physical location security, but not for website log-ins.

One effective, but rather inefficient method would be to provide customers with physical authenticators such as Blizzard uses for its games. Currently you still use a password to log in, but it also requires you to insert a six-digit number given to you by the physical authenticator device sent to you by Blizzard. The code is valid only one time, after which you press a button and get a new code for the next log in. If you lose it, the company can simply deactivate it by serial number. However, the downside is that for it to be a reasonable suggestion, every company you have an account with would need to participate in and offer such a program. This leads to lots of money spent by companies having the device made and shipped, and of course money spent by customers purchasing the devices (Blizzard charges 7 dollars itself).

Another problem would be the obvious issue of bad folk getting their hands on the devices and doing their thing