Overdosing on computer passwords and security

A study from Microsoft suggest that the collective time we put into passwords and other aspects of computer security isn't worth it.
Written by John Dodge, Contributor

Much of the computer security advice we get from banks, browsers and password-protected web sites is a waste of the user's time.

Last year, Microsoft researcher Cormac Herley confirmed what many of us already knew or suspected: managing dozens of passwords is a colossal pain and of dubious benefit. Do I feel more secure that my bank knows the name of my first dog? Not really.

credit: Microsoft

Herley is not casting all security advice to the wind, but questions the value of all the time we collectively put into it. From his report:

"Users are never offered security, either on its own or as an alternative to anything else. They are offered long, complex and growing sets of advice, mandates, policy updates and tips. These sometimes carry vague and tentative suggestions of reduced risk, never security. We have shown that much of this advice does nothing to make users more secure, and some of it is harmful in its own right."

What Herley figured out is that the value of the time users spend managing passwords, SSL certificates warnings (Secure Sockets Layer which encrypts data between web server and your browser) and phishing site identification is far greater than the damage done by computer criminals. He describes the benefit from user education as "speculative and moot."

His findings defy conventional wisdom that you can't pay too much attention to computer security. The basis for his findings is that our time isn't free: indeed, he figured out that the time of 180 million adults online in the U.S. is worth about $2.6 billion an hour, far, far exceeding the losses from spam and phishing attacks.

"We find that most security advice simply offers a poor cost-benefit tradeoff to users and is rejected. Security advice is a daily burden, applied to the whole population...," he wrote.

Over the years, computer security has irritated me. At one job, I was required to change my password every three months and if I didn't after repeated and annoying warnings,  I was not permitted to send e-mails. How dumb is that?  Ironically, this is a setting in Microsoft Exchange.

I simply used the same word and added 1, 2, 3 and so forth to them every three months. That way, I could easily change and remember them.

The report didn't directly address virus checkers which we blindly re-up for every year, but it reminded me of a story idea I discussed with an editor about 10 years ago. We posited that somehow the developers of viruses were in cahoots with the companies that wrote the software to protect us from them.

Alas, it would have been extremely difficult hypothesis to prove. Maybe there was a tad too much conspiracy tied up in the idea.

For more perspective on Herley's conclusions, check out IT professional Michael Kassner's blog post on TechRepublic (a sister site to SmartPlanet.com) and a story in yesterday's Boston Sunday Globe. Beware, Herley's report will take you a solid hour to read and digest.

Follow me on Twitter.

Related SMartPlanet.com stories on passwords and computer security:

--> How to avoid the "500 worst passwords of all time"

--> Passwords: how to make up your own

This post was originally published on Smartplanet.com

Editorial standards