Spare us from password purgatory: Infinite logins don't make us safer, just angry

The password system is broken - it's time for a users' revolt...

Password systems have become so demanding they are risking our security, says's Natasha Lomas.

Forget email bankruptcy - I'm declaring password bankruptcy. The modern user no longer surfs the net, he or she blunders from access denial to access denial, lost in a fog of half-remembered passwords.

Cleared your cookies or cache lately? If you have, prepare to behave like a code-breaker and cycle through the mental lexicon of possibilities that might just unlock this particular digital door. Internet law states that only after you've hit the forgotten-my-password link, refreshed your inbox 1,000 times, clicked on the reset-password link and typed in a new password will you - finally - hit on the password you'd just forgotten to remember.

At which point you will be denied the ability to change your password to the password you now remember, on the Catch 22 grounds that you've used that password before. And lo, before you can stop them, your fingers will have scuttled across the keyboard giving digital life to yet another password - one so guessable it would make a three-year-old blush, or so cryptic there's not a snowflake's chance in hell you'll remember it next time you want to play Goo or buy a bra or shorten a URL or check out your Twitter Klout score.

Lock and key: Password security is broken

Too many web services require passwords, yet users can only memorise a finite number of virtual keysPhoto: woodleywonderworks

And so the cycle of password purgatory goes on, in this less than Divine Digital Comedy, 4Ever&eVaAMEN1111$.

In short, as columnist Peter Cochrane recently noted, the password system is broken, it's "not longer fit for purpose". And moreover, as the News of the World phone hacking scandal amply illustrates, having a password or PIN gating a service does not in any way guarantee its sanctity from prying eyes and ears. Not where humans are involved. Quantum key cryptography this is not.

The problem with online passwords is one of proliferation. Every web service, app and device under the sun seems to require a login these days. So that's typically two bits of information to memorise per service - a username and a password. And, boy, do those bits soon add up.

Using the same password for lots of services is of course a Cardinal Digital Sin. So too is using stupidly easy passwords such as Password. And 123456 won't win you any security awards either, so step away from those all-too-easy-to-type keys. There's a really obvious reason why web users reach for friendly and familiar passwords, rather than conjuring up fiendishly complex ciphers that will absolutely secure their digital perimeters: our memory isn't perfect. Nor is our brain's storage capacity infinite.

Fair enough to ask for eye-wateringly complex passwords when I'm logging into my bank online. In that instance, I really don't mind wearing a special wireless hat while repeating a unique foot-shuffle on a digital floor mat in the privacy of my own home - hey, the funds in my bank account are at stake.

But passwords, and increasingly demanding passwords, are required for all sorts of apps these days - be it a news site you might like to read occasionally, an app that paints comedy moustaches on to every face in your photo album, or a shop you want to buy one item from once and probably won't need to revisit this century.

How many login-able services does the average web user use in their day-to-day digital activities? I can think of...