Password best practices have changed, said Squire. The current guidance is that systems should allow users to specify passwords that are as long as they want, with no requirement to use or avoid particular groups of characters (eg, "between eight and 14 characters, with at least one upper case letter and at least one digit" is out).
The reason is that this maximises the set of possible passwords – setting a maximum and minimum length along with character mandates reduces the space that an attacker needs to search.
This relatively new guidance is not widely known or used in the private sector, she observed.
Furthermore, it can be hard to remember exactly how you entered a particular answer (Fido or fido?), and deliberately false answers are even harder to remember, especially as the first time you're asked the secret question could be five years after you created the account.
She favours email-based account recovery, but thinks email providers should have systems in place to warn organisations when the address they use to contact a customer has been compromised.
Squire also noted that a growing number of people are using identity services such as a Google login rather than having a separate account with each site or service. "Some people are afraid of that... I actually think it is a good thing" because those providers do a good job of security, usually better than smaller organisations manage."
But you do need to use a strong password and two-factor authentication, she warned.
Looking ahead, the number of times you need to enter your password is likely to drop significantly, suggested Squire.
She expects "behavioural biometrics" to become the norm within three to five years. The idea is to identify individuals by the way they hold their phone, for example, or the hours they work. Other characteristics that have been proposed include gait (walking pattern) and typing rhythms and speeds.
Passwords could be requested if the user tries to do something unusual. Buying a low-cost item online and having it shipped to your home address wouldn't be unusual, but having an expensive purchase shipped to an address in another country probably is – at least until the system has worked out that each year you send a generous birthday present to a particular relative who lives overseas.
This type of approach probably won't work for shared devices, especially in a business context, she conceded.