Another view: strong passwords aren't worth the effort

Summary:Microsoft researcher says the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code.

It's common sense that strong passwords and awareness of malicious URLs are the best line of defense for applications and data. However, one IT researcher has done a cost/benefit analysis of such efforts, and questions whether the costs of strong password management outweighs the benefits.

Credit: James Martin/CNET News)

That's the gist of a recent study by Microsoft researcher Cormac Herley, who questions the advantages of strong password rules, which "shields [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort."

Niel Rubenking, who surfaced Herley's paper on his blogsite, provides a synopsis of Herley's logic: that "users who ignore security advice aren't lazy or stupid; rather they're acting rationally. The advice is complex, and the benefits are 'largely speculative or moot.'"

Time is what is at issue with most security incidents, Herley reasons. The bottom line is the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code. As Herley explains:

"We need better understanding of the actual harms endured by users. There has been insufficient attention to the fact that it is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them."

Herley also points out that while "user education is a cost borne by the whole population," the benefits may only be seen by the small percentage of users that fall victim to security attacks. "The cost of any security advice should be in proportion to the victimization rate," he says.

Rubenking also points to another piece of Herley's analysis, which finds that teaching users to recognize phishing URLs is a losing proposition, not worth the time spent. "Herley calculates that a task requiring one minute per day from every working adult in the U.S. costs about $15.9 billion per year. Unnecessary security advice 'treats as free a resource that is actually worth $2.6 billion an hour.'"

Rubenking says, however, that complex, non-guessable passwords are still an important security protocol that needs to be kept in place. He recommends automating the process as much as possible for end users with a password manager that generates strong passwords.

In the words of Herley:

"Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain."

Is the time and cost of requiring everyone to address security protocols worth the potential time and cost saved among users who need to get back to work after an incident?

This post was originally published on Smartplanet.com

Topics: Innovation

About

Joe McKendrick is an author and independent analyst who tracks the impact of information technology on management and markets. Joe is co-author, along with 16 leading industry leaders and thinkers, of the SOA Manifesto, which outlines the values and guiding principles of service orientation. He speaks frequently on cloud, SOA, data, and... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.