ie8 fix
madison

Service Oriented

Joe McKendrick
Home / News & Blogs / Service Oriented

Passwords, security protocols cost more than they save, says Microsoft researcher

By | April 16, 2010, 8:12am PDT

Summary: In a cost/benefit analysis, a researcher says the amount of time users are tied up with security protocols may outweigh time saved in stopping malicious hacks and code.

It’s common sense that strong passwords and awareness of malicious URLs are the best line of defense for applications and data. However, one IT researcher has done a cost/benefit analysis of such efforts, and questions whether the costs of strong password management outweighs the benefits.

Credit: James Martin/CNET News

Credit: James Martin/CNET News

That’s the gist of a recent study by Microsoft researcher Cormac Herley that’s been roiling across the blogosphere in recent weeks. Herley questions the advantages of strong password rules, which “shields [users] from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.”

He applied a cold, hard cost/benefit analysis to password and other security protocols, and determined that having end-users spend time fussing with these protocols is not a rational act in strict economic terms. That’s because requiring each and every user to spend x amount of time creating strong passwords and being trained on avoiding hack Websites may, in the end, cost far more than the time and cost saved from a security incident.

“In trying to defend everything, we end up defending nothing,” Herley warns.

Time is what is at issue with most security incidents, Herley reasons. The bottom line is the amount of time users are tied up with security protocols may outweigh any time saved by stopping malicious hacks and code. As Herley explains:

“We need better understanding of the actual harms endured by users. There has been insufficient attention to the fact that it is mainly time, and not money, that users risk losing when attacked. It is also time that security advice asks of them.”

Herley also points out that while “user education is a cost borne by the whole population,” the benefits may only be seen by the small percentage of users that fall victim to security attacks. “The cost of any security advice should be in proportion to the victimization rate,” he says. For example, the cost of having all working adults spending one minute a day fussing with security protocols will add up to about $15.9 billion a year. This may exceed the money saved for the small percentage that are impacted by security events.

In the words of Herley:

“Security advice is a daily burden, applied to the whole population, while an upper bound on the benefit is the harm suffered by the fraction that become victims annually. When that fraction is small, designing security advice that is beneficial is very hard. For example, it makes little sense to burden all users with a daily task to spare 0.01% of them a modest annual pain.”

Nevertheless, security experts say there’s no reason to shy away from robust security protocols in this day and age. Niel Rubenking, who surfaced Herley’s paper at his blogsite, advises companies and end users to stick to strong password creation and security awareness.  Complex, non-guessable passwords are still an important security protocol that needs to be kept in place. He recommends automating the process as much as possible for end users with a password manager that generates strong passwords.

This is where service oriented architecture helps as well. Single sign-on and federated identity, for example, will save a lot of the time and cost for enterprise end-users to access multiple services or applications across networks. In addition, a security services layer as part of SOA will ensure a consistent, highly automated process embedded behind the scenes. This may not protect users accessing sites in the open Web, however, and this is where the benefits of training and vigilence need to be weighed.

Is the time and cost of requiring everyone to address security protocols worth the potential time and cost saved among users who need to get back to work after an incident?

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Service Oriented”

Topics

Password, Microsoft Corp., Strong Password, Security Advice, Security, Joe McKendrick

Joe McKendrick is an author, consultant and speaker specializing in trends and developments shaping the technology industry.

Disclosure

Joe McKendrick

Joe McKendrick is an independent consultant, editor and speaker.

Joe has performed project work (white papers, articles, blogs, research and presentations) for the following companies in the IT marketspace:

  • CBS Interactive/CNET/ZDNet (this blog)
  • ebizQ
  • Evans Data
  • Gartner
  • IBM
  • Informatica
  • IDC
  • Microsoft
  • Systinet/HP
  • Teradata
  • Unisphere Reseach, a division of Information Today, Inc.
  • WebLayers

Joe has also performed research work for the following sponsoring organizations in partnership with Unisphere Research, a division of Information Today, Inc.

  • IBM
  • Luminex
  • Noetix
  • Oracle Corp.
  • Teradata
  • Informatica
  • International Oracle Users Group
  • Oracle Applications Users Group
  • Professional Association for SQL Server
  • International DB2 Users Group
  • International Sybase Users Group
  • SHARE (IBM large systems users group)

Biography

Joe McKendrick

Joe McKendrick is an author and independent analyst who tracks the impact of information technology on management and markets. Joe is co-author, along with 16 leading industry leaders and thinkers, of the SOA Manifesto, which outlines the values and guiding principles of service orientation. He also speaks frequently on Enterprise 2.0 and SOA topics at industry events and Webcasts, and serves on the program committee for this year's SOA & Cloud Symposium in London. As an independent analyst, he has also authored numerous research reports in partnership with Unisphere Research, a division of Information Today, Inc. for user groups such as SHARE, Oracle Applications Users Group, and International DB2 Users Group. In a previous life, Joe served as director of the Administrative Management Society (AMS), an international professional association dedicated to advancing knowledge within the IT and business management fields. He is a graduate of Temple University.

33
Comments
Add Your Opinion

Join the conversation!

Just In

Sticky Password
mikin 8th Jun 2010
Sticky Password is the best solution for storing and managing passwords.
View in thread
0 Votes
+ -
True, security sometimes costs too much
paul2011 16th Apr 2010
One example is anti-virus software. In all my career I have wasted much more time due to problems caused by anti-virus software than due to viruses.
With passwords deal is similar. When different and complicated passwords are needed in 10 places guess what happens? All passwords then are the same or they are all on the piece of paper taped to the monitor.
0 Votes
+ -
Maybe it's because
rarsa 16th Apr 2010
Maybe the time you've spent with anti-virus. Accounts for the little time you've spent dealing with virus infections.

I cannot avoid throwing the trolling line: I avoid both by using Linux (whether it is because it is safer or less targeted, I don't care).
0 Votes
+ -
I don't use anti-virus either
drobinow 17th Apr 2010
and I use Windows. Since 1995. No viruses. People waste way too much time worrying about this stuff.
0 Votes
+ -
RE: Passwords, security protocols cost more than they save, says Microsoft researcher
n3qik 16th Apr 2010
Time lossed due to logging with passwords is minor here at our work. With 10+ year old machines, it takes longer to get to the log on screen, than to type in their password.Plus, we are a small business, it would only take one or two security breaches to hurt or put us out of business.

I look it like this, you pay car/home insurance every year. Then hope you never need to use it.
0 Votes
+ -
RE: Passwords, security protocols cost more than they save, says Microsoft researcher
rkincaid@... 16th Apr 2010
much like the costs of maintaining police/courts/jails outweigh the inconvenience to the small number of victims of crime. The analogies can go on and on.
0 Votes
+ -
I'm slow today
rarsa 16th Apr 2010
The main argument plus your analogy can be read both ways.

I read it as "If security measures were more lax, the cost of attacks would increase"

"If police/courts/jails (or even better, social services) costs go down, then the cost of crime would go up".

Is that what you mean as being analogous?
0 Votes
+ -
Security Cost Estimates are Bogus
kenneth.kelley@... 16th Apr 2010
Bogus, because they wrongly assume that the workers would be "producing" something else with the time spent on security. Most knowledge workers have a great deal of flexibility in how they employ their time - and usually the work expands to fill the available time!
0 Votes
+ -
RE: Passwords, security protocols cost more than they save, says Microsoft researcher
rbakowski@... 16th Apr 2010
I suspect that very few passwords are guessed or broken via a dictionary based attack. None of the sites I use passwords at allow more than a few attmpts before shutting down, making the likelihood of guessing even a random work infinitesimal. The rationale for using complex passwords in most cases is simply not valid. I suspect most passwords are stolen, not guessed, and the use of super-complex ones probably makes theft easier because of the need for the user to record them.
0 Votes
+ -
Automatic cracking is a fact.
clareJ 20th Apr 2010
Some of my customers had simple passwords for logins to their servers. When a PC becomes infected behind the firewall the malware has forever to crack the password. But when we switch to 8 character + random passwords the password is not cracked in the time that it takes to discover and purge the malware on the pc.

The more difficult password buys time.
0 Votes
+ -
Passwords, protocols cost
bobruss1@... 16th Apr 2010
Complexity and requirements to change passwords
frequently are ridiculous when the cost of
reacquiring access to most sites is considered.
I have several accounts that are accessed only
every six months or so, and the odds of them
losing my password by changing it seem very
high. When that happens, it is assumed that I
have forgotten my password or my user name. I
fact, I have to resort to maintaining an Excel
list in order to keep track, and that defeats
the whole business, according to the security
gurus.
0 Votes
+ -
Password tip
rarsa 16th Apr 2010
Most people confuse "complex passwords for the attacker" with "complex passwords in general".

My passwords are very complex, but at the same time very easy for me to remember. Even the ones that have to cycle.

Phrases with upper/lower case combinations and numbers in between following a pattern known to you.

e.g.
Movie titles, Book titles, Grocery stores, song lyrics, with predefined "typos"

How easy do you think is remembering:

"Snow White and d 7 Dwarfs"

How difficult do you think it would be cracking it?
0 Votes
+ -
Re:Password tip
ke6gwf 16th Apr 2010
I agree with your password creation tip!
Easy to remember but "impossible" to guess or
brute-force.

I have used similar passwords for years,
keeping them at the minimum allowed length, and
rotating through about 4 (plus rolling up as PW
length increased) Those 4 are based on the same
root, just different combinations of
misspellings.
This way if I forget which one I used for a
site, I only have a few to try...
I don't have to write them down, so I am secure
that way.

Oh, and I don't use anything that would be connected to me.
For 4 digit pins I will use an unlisted phone
number for a friend.
0 Votes
+ -
You work too hard.
drobinow 17th Apr 2010
The mere fact that you have a friend with an unlisted number tells a lot.
0 Votes
+ -
Multiple sites
rarsa 16th Apr 2010
Oh, and don't repeat passwords across sites. It is also better to have a theme that may be related to the site.

Following my previous post

7 maiL DwarfS ---> for your email site
7 friendS DwarfS --> For your Facebook.

etc.

Same theme, easy to remember, difficult to guess or crack.
0 Votes
+ -
Ya think...
Bruizer 16th Apr 2010
My favorite is from the company I just finished a contract
with.

Your primary domain password (yes each tools set also
had a unique password) was the worst.

1) Updated every 4 weeks.
2) could not be in a standard dictionary of passwords.
3) could not have been used in the previous 12 months.
4) It did sub word searches such that "TomSmith01" and
"TomSmith02", "tomsmith32" and "smithtom14" would be
seen as repeating a previous password.
5) 8 characters minimum
6) at least 1 number.
7) at least 1 upper case character.
8) at least one lower case character.

Few people could end up remembering their passwords so
about 1/3 of the desks had, somewhere, a yellow sticky
with the passwords on them.

Yep. Secure. Leave it to IT to be clueless.
0 Votes
+ -
Again
rarsa 16th Apr 2010
13 songs, 13 car brands, 13 book titles. Hey, that's 3 years of passwords for you.

As long as you don't tell anyone what the theme for the year is, you are covered.

Not rocket science.
0 Votes
+ -
We use the standard MS complexity checker built into Group Policy
wolf_z 18th Apr 2010
10 character minimum
Mix upper case, lower case, number or symbol
Can't reuse last 10 passwords
Change every 90 days
Changing password before 88 days requires IT dept
3 wrong passwords permanently locks account (call IT to unlock)

To make it easy to remember create a pair of words and throw one or more numbers or symbols into the mix.

That isn't hard to remember, especially since it's the only password they have to remember. It's absolutely proof against dictionary attacks, and as a bonus it alerts us if anybody is trying a dictionary attack.

Do people complain about passwords? Yep, but in our business if a data breach occurs someone could get killed (literally) so the bottom line is nobody gets out of doing it, and they get reminded why they're doing it if they complain.

Once you've done it for a year it becomes second nature anyway.

Anybody who constawhines about how hard it is to make strong passwords doesn't need to have a computer. Because they're lazy, inconsiderate fools who might get somebody killed--and that somebody might be *me*.

Your company might not have the same security needs we do, but you don't have to change passwords daily, or use 50 character randomized strings that require a computer token to have good strong password defenses.

There's a difference between doing security *right* and being stupid, either completely lax or insanely complicated.

Learn to do it right, or suffer the consequences. Your choice.
0 Votes
+ -
RE: Passwords, security protocols cost more than they save, says Microsoft researcher
kkilroy 16th Apr 2010
This comes from the company that kept the LMHASH around for years.....

Microsoft has always avoided security. Mostly because they have no idea how to implement it right.
0 Votes
+ -
This article missed a major point of the study: Frequent changing
ke6gwf 16th Apr 2010
One of the biggest wastes of time when compared to the
security benefits is the requirement to change
passwords every few weeks/months.

That's like changing the lock on your house ever month
in case somebody steals your keys.
If they steal your keys, they are going to use them
right away!

If you are in a job where there are people trying to
get changing information, then maybe frequent changes
might be a good idea because they might be logging in periodically to spy. But log-in monitoring would be a
better solution there, since it can catch them instead
of just trying to blindly slow them down. Also, if
they got one password, either you aren't choosing good
passwords, or they have another way to get them. (like
reading the yellow sticky on your monitor since you
have to change 10 passwords each month, and they have
to be totally random.)

For most people, a successful hack is going to be
quickly obvious, so random PW changing is just a waste
of time, and reduces the security if they have to
write it down.

Choose easy for *you* to remember passwords, use at
least 3 (one for easy to hack sites, or un-trustworthy
sites - Facebook, Yahoo, etc, and then a couple for
your banking and important secure sites. A couple (or
one for each) so that if one is compromised, they
don't have access into everything)
If you have so many passwords that you have to write
them down somewhere other than inside a safe, you are
asking for a robber or co-worker to take *all* your
passwords, and that is more likely to happen that a
brute-force on your weak password.
0 Votes
+ -
Marketing department directing technical research, again!
billcheng 16th Apr 2010
Seems like another microsoft attempt to justify their failed single-sign-on service.

Strong password is the way to go (as long as you are not required to change them all the time)! Crackers cannot guess strong passwords! This is just too simple that "security experts" are afraid of losing their jobs or no one will buy their products!

To say that strong password is not important is idiotic! If you don't promote strong passwords as a good practice, you might as well open up your system because every cracker will be living in your system anyway.
0 Votes
+ -
Crackers do not guess
maxhyde 16th Apr 2010
They crack. ALL passwords can be discovered which is why you change them . More often is better.
0 Votes
+ -
Not Just MS that has come to this conclusion
kaninelupus 17th Apr 2010
Have read several articles in recent times (over the last 12 months) that have all come to similar conclusions; seriously questioning the added effectiveness of longer and more complex passwords. As has been pointed out above, passwords are rarely guessed/cracked, but are most commonly stolen, either physically/locally or by use of key-stroke loggers.
0 Votes
+ -
cost more than they save?
dabruro 16th Apr 2010
When it comes to current security measures, how do they
know how much "they save"? The only way to find out is
to stop the security measures and see how much impact
they were saving us from. Sure security incidents don't
cost us much now, but that's because we *are* using those
security measures!
0 Votes
+ -
pA5s\/\/0rd$ @Re |)ifFi(u1t (nt)
Agnostic_OS 16th Apr 2010
nt
0 Votes
+ -
Faulty assumption
kidtree 16th Apr 2010
The researcher seems to draw his conclusion based on an assumption that the effort bad guys will concentrate on given targets will remain constant, regardless of how well those targets are protected.
Imagine building a new town and advertising that homes there will cost less, because none of them will have locks, and no taxes will be wasted on a police force or community crime-prevention programs.
While you're at it, build it right next to Fort Knox to see which location attracts more burglary attempts.
0 Votes
+ -
Faulty assumption No. 2
overnout 16th Apr 2010
Leave it to an "efficiency" wonk to come up with a statement like this:
"There has been insu?cient attention to the fact that it is mainly time, and not money, that users risk losing when attacked."

There is, potentially, no limit to the damage a security breach can wreak.
If a nasty competitor steals your company's product-development info and either rushes to spoil the market or disrupts your supply line, what dollar value or time expense are you going to compute for the lost opportunity?
If a terrorist group or antagonist foreign power gets hold of critical technology in your domain, how exactly are you going to compute the time-cost there?
If a gang of school-mate bullies breaks into your daughter's or your son's (or your sister's or brother's) email/social-networking accounts and starts a coordinated attack of psychological abuse, will you spend even a fraction of a second thinking about either time or money?
Passwords are not the be-all and end-all of security, and people have commented here in lots of sensible ways about password use and management, but all such discussion pales in contrast to this researcher's bogus assumption. In fact, if such considerations were more mainstream, Apple could gloriously spoof this Microsoft study in one of their I'm a PC ads. And I'm not an Apple fan. But Hodgman could do this brilliantly.
Then again, Apple's been pretty averse to even recognizing security issues.
Hodgman should just do it on the Daily Show.
A Monty Python skit would have been best.
0 Votes
+ -
You really do need to re-read the article!!
kaninelupus 17th Apr 2010
The researcher was not suggesting that users/companies abandon security protocols and good practice; rather he was making a comparison btwn the extra time required by overly complex security methodology and the time/cost incurred by lax security measures. If you cool your head for a second, it may be possible for you to see his points from another angle.

As has been previously high-lighted, some business require users to log into multiple applications, each requiring different PW's, each requiring a new PW every few months. My wife worked in telephone banking for nearly seven yrs; she had to remember 10 different PW's which changed every 3 months. She ended up doing what most employees did... she wrote them down! Now of course, there is a safer way of doing this; you can use a portable version of TrueCrypt to create a locked/password-protected volume on the same flash-drive... but that still leaves one open to a keystroke logger.

One could look at the results concluded by the researcher more in this light; if the security protocols in place are more time/cost consuming than that which would arise from the types of attacks they are intended to prevent, then said user/company would be wise to look at making their security protocols and procedures less complicated and more automated and streamlined. If PW requirements are so complex and ever-changing that users are as a result recording them (or saving to their browser profiles), then systems need to be re-evaluated.

All-in-all, some food for thought.
0 Votes
+ -
even so...
overnout 17th Apr 2010
I may have gone a little over the top, but I reread the article and I find it still comes down to the same faulty assumption. The problems related to overly complex procedures are simply problems of implementation and would normally be couched in terms much different than those chosen by this researcher. Complex, disruptive procedures, more than simply an excess of effort in some concocted balance of theoretical costs, can actually constitute a weakness in security--as many here, including yourself, have pointed out.
I have a gazillion passwords (ok, hundreds), all different, of varying levels of complexity, and a smattering of password "themes" that I recycle. Regardless, I've been keeping and maintaining them all for years in an encrypted database (which needs a master password that is written down nowhere) on a PDA (which also requires a password). No sticky notes. No text file or spreadsheet. It's always close by, always backed up, and easy enough to access. I think I've got the pranksters, the curious, the script kiddies and the run-of-the-mill thieves pretty much covered. It all depends on the importance of what you're safeguarding (which one can't always measure in time or money). It's not something you can be absolutely certain about, but I don't plan on being of interest to the kinds of organizations and criminals that can easily break my system.
Banks have had a hard time getting things right. I can only imagine the pain your wife and bank staff must go through; it's been hard enough with us clients--and it's not the most bothersome that feel the most secure. But that's another story...
0 Votes
+ -
Check out your own faulty assumptions
Frumptious 18th Apr 2010
The article is talking about consumers not people protecting company secrets. A main point he makes is that consumers are protected 100% against fraudulent bank transfers.

Yes, terrorists going after my facebook page: that's a possibility. I'll just take my chances and see what happens.
0 Votes
+ -
Not the only criterion
ksarkies@... 19th Apr 2010
Does the cost-benefit analysis take into account the future growth of malware that would likely happen if people stopped taking trouble over security? Money is not the only criterion to apply here. Not bothering to take trouble over security would be like a country not bothering to invest in a defence force because the cost exceeds the benefit of retaining their freedom.
0 Votes
+ -
Even ONE data breach COST is too HIGH
hsec2@... 19th Apr 2010
Many businesses store people's personal info, ie: SS#, Birthdate etc, home address. If even ONE breach occurs and that data is taken, the price of NOT having security protocols in place is TOO HIGH.

From someone who works in a business that stores such data. Security here is multi-level and easy to maintain.
0 Votes
+ -
4x the effort, but...
Yargh 20th Apr 2010
It hardly takes any effort at all to enter a password. For most people that constantly do computerized work, passwords are second nature.
0 Votes
+ -
Sticky Password
mikin 8th Jun 2010
Sticky Password is the best solution for storing and managing passwords.

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix