SleepyEgg

There has been a steady flow of academic studies into the insecurity of the username/password authentication system (a number of which we've covered at Ars) that suggest it's doomed to failure: humans have a limited memory capacity for unique strings of random characters, which is precisely what most experts recommend as a secure password. A pair of academic researchers from Cambridge have analyzed the use of passwords by many prominent online sites, and found that many sites require passwords as a sort of security theater, requiring them in contexts that are superfluous and failing to do their part to secure the information on their end. The end result, they argue, is a tragedy of the commons, with the commons being the finite memory of the average user.

The paper in which the duo make this argument was presented at the Workshop on the Economics of Information Security, and the paper itself is an interesting mix of economic arguments and security analysis. We'll go through the latter first before tying it back together with the former.