You beat me to it on basically every point I was going to make, with the exception of this:

Keyloggers and social engineering are not reasons to avoid using passwords. They're reasons to think before you act. They're reasons to know something about how to secure your computing environment, intelligently, and to avoid circumventing the security protections that environment provides. Period.

The whole article was absurd, and pretty typical. As I said in another TR article, "Don't Be Fooled By The Argument Against Unique Passwords" [1] . . .

QUOTE: These days it seems like every time we turn around someone has written another article that gives "security" advice directly contradicting actual secure practice:

QUOTE: * Don't use strong passwords! Just use whatever you'll remember!

QUOTE: * It's okay to use one password for everything as long as it's a strong one!

QUOTE: * You don't have to use a strong password as long as it's uncommon!

It's usually someone who has just barely learned enough about security to be dangerous, and has sometimes just barely learned enough about some other technology he or she thinks can make passwords obsolete to assume he or she understands it without, y'know, actually understanding it. That's exactly what has happened here, of course -- behavioral profiling is no silver bullet and, as you pointed out bboyd, is only suitable as an enhancement to the security provided by authentication common multifactor authentication methods (and not as a replacement for them).

The problem with passwords is merely one of education and UI, and not endemic to passwords themselves at all. I have written about "How To Get People To Use Strong Passwords" [2] here at TR as well, and about how to get people to care enough to actually employ their brains with regard to security in "Like Passwords For Chocolate, Coming Soon To A Security Theater Near You" [3]. In that latter case, I made the point that:

QUOTE: The biggest problem with password security today is not that they are too long and too hard to remember. In fact, "How to get people to use strong passwords" [2] explains how we can neatly defuse that little issue. It is not that password policies are often abysmally bad, as in the case described in "How does bad password policy like this even happen?" [4], though that definitely is a problem. It is not even the way bad security advice masquerades as common sense for people who lack an understanding of how to solve both of those issues, a growing epidemic identified in "Don't be fooled by the argument against unique passwords" [1].

QUOTE: The biggest problem with password security today is simple:

QUOTE: Nobody cares.

You need to do three things to make sure people's data, finances, and other digitally-exposed resources are secure:

1. Educate them.

2. Get them invested.

3. Give them control.

Part of both points 2 and 3 is making things easy. That's where selling people on password managers first and foremost, rather than the passwords themselves, comes in.

---

NOTES:

1. http://blogs.techrepublic.com.com/security/?p=4739

2. http://blogs.techrepublic.com.com/security/?p=5366

3. http://blogs.techrepublic.com.com/security/?p=5368

4. http://blogs.techrepublic.com.com/security/?p=528