Passwords are bad. It is really necessary to restate it? Wired has a very interesting story about the singer of Linkin Park (one of the most interesting bands in the last years IMHO, but that's not important here). Long story short, a hacker guessed one password ("Charlie", not a very strong one) in use in his household and stalked his family for a year. Luckily everything is resolved now, but the conclusion of the article is especially interesting (edited by me for strong language):
Meanwhile, Chester Bennington is grappling with the headaches that increased security brings. His passwords are now long strings of random letters and numbers that he changes frequently. "I keep a list for every different thing, and it drives me out of my f**** mind," he says. "I want to go back." Back to Charlie.
Mr. Bennington, that's called password fatigue. We are well aware of it, and we think we have a good solution: Windows CardSpace. If by any chance you'll land on this post and you'll want to know more, I will be happy to explain what it is about in details.
I still don't get it - How do I move my Card from one PC to another? How can I use it from a public PC?
The cardspace UI allows you to backup your cards in a password protected file (.CRDS). You can then move that file to the new location (another PC) and reimport the cards, again by using the cardspace UI.
So I need to carry the file with me somehow. And import it to my profile on another PC??? Sounds like a stupid idea, because I will need to use some PASSWORD to associate the card with my profile on another PC. This will never fly. Tell your marketing people to forget it.
To replace passwords I am supposed to use CardSpace. And before I can use my card I need to login to my PC using some password. Nice replacement!
o3APA3A, here there's some food for thought.
The problem with passwords is more complex than the simplistic demonization you seem to suggest. It has to do with the sheer number of passwords you have to manage if it is the only authentication mechanism available on all the websites and services you use; that number is what prevents you from having strong unique passwords for all the sites you use, and what makes impractical to change them often. It has to do with the frequency with which you use them in shady contexts, creating more and more attack venues; it has to do with the difficulty of trusting an ever changing credential gathering user experience that is entirely rendered by code that you have no way to trust unless you are an expert in certificates and internet security; it has to do with the impossibility of guaranteeing consistent security assurances across different service providers, and with the impossibility for those providers to use some degree of governance for imposing reasonable security practices. Those are just a few of the reasons for which passwords are not the best technology for authenticating over the internet. OTOH your PC, or the domain of your employer, represent situations in which ownership is clear, who verifies credentials is well known and governance can be applied: you can choose a strong password, and in fact in the case of a domain account you are often forced to. And if you really don't like passwords, you can access your Windows account using a smartcard or similar.
You may have noticed that it is phishing and pharming that is soaring, not improper intranet access. Windows Cardspace deals with the problems of projecting your identity through the internet, it is not a replacement for accessing your machine (even if, in line of principle, it may do that job too).
About roaming. The password associated with the exported cards is a classic example of blind credentials: it has a short expected life span, it is verified on the local machine, it has a specific purpose. Again, very little to do with the more generic problem with passwords. Of course the roaming experience can be better, and it is one of the aspects that is being considered with great attention: I am sure we will do better in the future. This is the v1 of a product that wrestles with many years of bad practices, it could not address everything at once at the same level.
User experience is the key to success. You are right about security, but people are using things that are convenient, not secure. I would bet on something like Windows Live ID - single password for everything IS convenient (though may be not that secure)