Business Brains

Another view: strong passwords aren't worth the effort

Posting in Design

Microsoft researcher says the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code.

It's common sense that strong passwords and awareness of malicious URLs are the best line of defense for applications and data. However, one IT researcher has done a cost/benefit analysis of such efforts, and questions whether the costs of strong password management outweighs the benefits.

Credit: James Martin/CNET News)

That's the gist of a recent study by Microsoft researcher Cormac Herley, who questions the advantages of strong password rules, which "shields [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort."

Niel Rubenking, who surfaced Herley's paper on his blogsite, provides a synopsis of Herley's logic: that "users who ignore security advice aren't lazy or stupid; rather they're acting rationally. The advice is complex, and the benefits are 'largely speculative or moot.'"

Time is what is at issue with most security incidents, Herley reasons. The bottom line is the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code. As Herley explains:

"We need better understanding of the actual harms endured by users. There has been insufficient attention to the fact that it is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them."

Herley also points out that while "user education is a cost borne by the whole population," the benefits may only be seen by the small percentage of users that fall victim to security attacks. "The cost of any security advice should be in proportion to the victimization rate," he says.

Rubenking also points to another piece of Herley's analysis, which finds that teaching users to recognize phishing URLs is a losing proposition, not worth the time spent. "Herley calculates that a task requiring one minute per day from every working adult in the U.S. costs about $15.9 billion per year. Unnecessary security advice 'treats as free a resource that is actually worth $2.6 billion an hour.'"

Rubenking says, however, that complex, non-guessable passwords are still an important security protocol that needs to be kept in place. He recommends automating the process as much as possible for end users with a password manager that generates strong passwords.

In the words of Herley:

"Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain."

Is the time and cost of requiring everyone to address security protocols worth the potential time and cost saved among users who need to get back to work after an incident?

Share this

Joe McKendrick

Contributing Editor

Joe McKendrick is an independent analyst who tracks the impact of information technology on management and markets. He is a co-author of the SOA Manifesto and has written for Forbes, ZDNet and Database Trends & Applications. He holds a degree from Temple University. He is based in Pennsylvania. Follow him on Twitter. Disclosure