I must have mentioned hundreds of times already, and, this should could not come as a shock: the age of passwords should have been over a long time ago. While there are reasonably good defenses against online password attacks, an attacker who is able to get a hold of an encrypted (or hashed) password database will bypass your defenses. An article on ARS Technica really drove that point home: 25-GPU cluster cracks every standard Windows password in 6 hours.

While these capabilities are not new, until recently they were believed to be only in reach of nation states. However, as the article points out, it is now possible to build your own bruteforce password cracker for less than $5,000.

Passwords will probably continue to play an important part of any authentication scheme for the forseable future, but our reliance on passwords as the only authentication factor has to end.

(True) two-factor authentication may help, as may other authentication approaches. The biggest problem with that, however, is user acceptance. People are just not willing to deal with having to move away from their trusted little password, because it still gives them a (false) sense of security. Carrying tokens (soft tokens or hardware tokens) is too inconvenient and it must be managed. And no, I really don't have a good solution.

At this point, Identity Federation seems to be an interesting avenue to pursue.

Let's see if we can move away from having an identity provider for each application we use, and instead, establish only a handful of them. Make sure that authenticating to a federated identity provider is secure (via true two-factor, or otherwise) and start leveraging what they have in place so we can focus on authorization and access control, rather than on authentication alone.

As much as I don't like some of the more common identity providers now (Facebook, Google, etc.), those concerns are driven more by privacy than by security.