By John Dodge
Posting in Education
A study from Microsoft suggest that the collective time we put into passwords and other aspects of computer security isn't worth it.
Much of the computer security advice we get from banks, browsers and password-protected web sites is a waste of the user's time.
Last year, Microsoft researcher Cormac Herley confirmed what many of us already knew or suspected: managing dozens of passwords is a colossal pain and of dubious benefit. Do I feel more secure that my bank knows the name of my first dog? Not really.
Herley is not casting all security advice to the wind, but questions the value of all the time we collectively put into it. From his report:
"Users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security. We have shown that much of this advice does nothing to make users more secure, and some of it is harmful in its own right."
What Herley figured out is that the value of the time users spend managing passwords, SSL certificates warnings (Secure Sockets Layer which encrypts data between web server and your browser) and phishing site identification is far greater than the damage done by computer criminals. He describes the benefit from user education as "speculative and moot."
His findings defy conventional wisdom that you can't pay too much attention to computer security. The basis for his findings is that our time isn't free: indeed, he figured out that the time of 180 million adults online in the U.S. is worth about $2.6 billion an hour, far, far exceeding the losses from spam and phishing attacks.
"We find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population...," he wrote.
Over the years, computer security has irritated me. At one job, I was required to change my password every three months and if I didn't after repeated and annoying warnings, I was not permitted to send e-mails. How dumb is that? Ironically, this is a setting in Microsoft Exchange.
I simply used the same word and added 1, 2, 3 and so forth to them every three months. That way, I could easily change and remember them.
The report didn't directly address virus checkers which we blindly re-up for every year, but it reminded me of a story idea I discussed with an editor about 10 years ago. We posited that somehow the developers of viruses were in cahoots with the companies that wrote the software to protect us from them.
Alas, it would have been extremely difficult hypothesis to prove. Maybe there was a tad too much conspiracy tied up in the idea.
For more perspective on Herley's conclusions, check out IT professional Michael Kassner's blog post on TechRepublic (a sister site to SmartPlanet.com) and a story in yesterday's Boston Sunday Globe. Beware, Herley's report will take you a solid hour to read and digest.
Follow me on Twitter.
Related SMartPlanet.com stories on passwords and computer security:
Apr 12, 2010
To create a secure password that is easy for you to remember, follow these simple steps: 1.Do not use personal information. You should never use personal information as a part of your password. It is very easy for someone to guess things like your last name, pet's name, child's birth date and other similar details. 2.Do not use real words. There are tools available to help attackers guess your password. With today's computing power, it doesn't take long to try every word in the dictionary and find your password, so it is best if you do not use real words for your password. 3.Mix different character types. You can make a password much more secure by mixing different types of characters. Use some uppercase letters along with lowercase letters, numbers and even special characters such as '&' or '%'. 4.Use a passphrase. Rather than trying to remember a password created using various character types which is also not a word from the dictionary, you can use a passphrase. Think up a sentence or a line from a song or poem that you like and create a password using the first letter from each word. Peddu Hostcats.com
I vote for a garbage string changes every day or thereabouts and that's super easy to use. I've tried some of the one password-fits-all and found them a big pain.
I use the same simple password for all sites nobody (hopefully) would bother to hack (newsgroups etc) and more complex individual ones for sites that I definitely don't want people to access - internet banking etc. All are saved in a vault which now has over 200 entries. My only worry is that someone might hack the vault. Then I'd be in trouble.
Or of changing passwords at all? It seems to me that the best approach is to have a different (computer-generated, garbage-string) password for each site, which requires a password vault program to look up each site's password. If there is someone stealing passwords at a site you use, individual passwords for each site will limit that damage. But once set up, why change passwords? If your computer has downloaded a key tracer that can report your old password to the bad guys, it will surely report the new password too.
If I was tye type that really wanted all your passwords - I would write the most user friendly password vault program that could be written. And then post it to all the free software sites.
Years ago, before the internet became part of our lives but after PC's became common, the greatest virus threat came from floppy disks. There was a saying that every time you slipped a CD (remember 5-1/4 and 3-1/2 inch floppys?) into your computer's drive slot, your 'puter had "slept with" every other computer that same disk was in, and in turn every other computer those computers slept with. In discussions with my fellow workers, I once opined that viruses were a conspiracy on part of software vendors to discourage software piracy. I.e., someone's offer of a free copy of Word Perfect might contain a virus which will wipe out your hard drive, so the only way to prevent that was to buy software (at full price) from your local computer hardware/software retailer. I was told then, and this point could still be argued today, that viruses are more likely a conspiracy by antivirus software vendors -- as Messrs. Dodge and Blankenhorn suggest.