In a recent research paper, Microsoft principal researcher Cormac Herley asserted that security measures that are being recommended are a waste of time. He argues that security protocols that attempt to protect an individual or organization from the consequences of a security breach often exact a much steeper price—in the form of user effort and time expended.
While everyone knows that “123456″ is not a good choice for a password, is it worth the effort to force users to change their passwords? “Most security advice simply offers a poor cost benefit tradeoff to users and is rejected,” said Herley. Following certain password rules “shields [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.” Herley contends that users who ignore security advice aren’t lazy or stupid; rather they’re acting rationally. Required security activities are complex, and the benefits are “largely speculative or moot.”
He particularly slams the common requirement that users change passwords at specified intervals. A hacker who steals your password is going to use it right away; he won’t wait two months. “Insisting that users choose a unique strong password for each [[account]] which they change often and never write down is clearly a large burden.
The study also says that teaching users to recognize phishing URLs is a losing proposition, not worth the time spent. Herley calculates that a task requiring one minute per day from every working adult in the United States costs about $15.9 billion per year. Unnecessary security advice “treats as free a resource that is actually worth $2.6 billion an hour.”
While he might have a point, don’t go changing all your passwords to “123456” just yet. Using different passwords for different accounts and Web sites really is beneficial, as is using complex, non-guessable passwords. You can cut down on the time and effort required by using a password manager and letting it generate strong passwords for you.
Blaine, thanks for the comment. This idea certainly goes against the industry push to make it all so complicated. Complexity is the enemy of security.
Just FYI… Really have been impressed with Lastpass.com solution so far… It will generate really strong passwords, will take note if you change a password and re-record or even generate a new one for you… works on multiple computers, browsers, and platforms, and even form fills better than anything I have seen. It’s not perfect, but it beats the other things I have looked at.
I agree with your article… password fatigue, and the extra time it takes to use and enforce security policies are mostly useless… very low ROI… and password management is the only way I can see to make sense of it… without an effective tool it consumes too much time and resources. It’s like paying for insurance and never using it…
Thanks,
Blaine Means
Information Systems Coordinator