Awhile back the University of Edinburgh changed some of their guidance around passwords. In my 1Password app, I counted over 250 passwords. Some of these are old and no longer used, but the large number reflects the nature of academic life, in which information and knowledge flow is more outside the institution than within it. My bugbear is of course the NHS and the practice of making people remember hard passwords and change these passwords every 3-4 weeks. This is just bad practice, and leads to people writing them down close to where they use them, or choosing more guessable passwords. Another example of bad practice is below.
Slashdot asks if password masking — replacing password characters with asterisks as you type them — is on the way out. I don’t know if that’s true, but I would be happy to see it go. Shoulder surfing, the threat it defends against, is largely nonexistent — especially with personal devices. And it is becoming harder to type in passwords on small screens and annoying interfaces. The IoT will only exacerbate this problem, and when passwords are harder to type in, users choose weaker ones.