You are here :

Opinion

Bob Bragdon

Are Passwords a Waste of Time?

By Bob Bragdon Wed, Jun 16, 2010

Bob Bragdon is publisher of CSO (Chief Security Officer) Magazine, the world’s leading resource for security executives, He manages the full CSO product line, including CSOonline.com, CSO Magazine, CSO Research and CSO Events.

I apologize up front for jumping into this debate, but I couldn’t resist. Not a week goes by, or so it seems, without some newspaper, magazine or TV show (apologies to my media brethren) lambasting security and IT professionals because they force unnecessary security controls on the poor, downtrodden consumer or worker. It’s as if your security requirements are designed to make everyone’s life miserable with little or no benefit. You evil CSOs! My heart bleeds for the poor peasants whom you oppress.

Two months ago, for example, the Boston Globe examined a Microsoft Research study that concluded, according to the article, that “many of these irritating security measures are a waste of time.”

I can certainly relate to that. I’m annoyed every time I need to enter my 15-character complex password, which I must do several times a day in the office and even more often when I’m traveling. I’m annoyed every 90 days when I have to come up with a new complex password that can’t be the same as one I’ve used any time in the past 20 years.

But I also recognize that simple passwords--pet’s names, children’s names, and so on--are easily broken. And I realize that there are other sides to this argument.

When we discuss whether security measures are worthwhile or not, we need to consider the point of view from which we examine the issue. Often it’s the user’s point of view, so the focus is on all the time they spend entering long passwords or navigating security controls, which results in millions of hours of lost productivity. I buy that.
What I don’t buy is that most workers would be significantly more productive if freed from these controls. End users, whether bank customers or your own employees, are by far the weakest link in the security chain. Let’s not kid ourselves: Security controls are more about protecting the business than the individuals themselves. I can already hear the outcry that would arise if a company opted to use simple passwords and ultimately had a data breach (safe bet).

The lawyers, as they filed their class-action lawsuits, would be asking why complex passwords weren’t required. The media (with all due deference) would paint a picture of an uncaring corporate behemoth. Shame on the CEO.
Please, give me a break. This argument isn’t about the cost-benefit trade-off of time versus security. It isn’t about the end user’s productivity or inconvenience. It’s about protecting the business’s reputation and reducing risk.

I give Cormac Herley, the Microsoft researcher who conducted this study (An excerpt from the ‘Boston Globe’ article says: ‘The study was first presented by Herley at a security workshop at Oxford University last Fall. In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year.

Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high hurdle to clear.’)

By the way, the headline for the Globe article was “Please do not change your password. You were right: It’s a waste of your time. A study says much computer security advice is not worth following.”

Enough said?

Channelworld.in Opinion

  • Potential Legal Tangles in the Cloud

    Everyone knows the big virtues of using cloud computing services: They’re cheap, you can scale them on demand, and they’re fault-tolerant

    A Bharat Story For Future Growth

    New markets like Bihar, are unconventionally posting growth rates higher than the national average. Companies must approach these markets to remain competitive.

  • Retrenchment Redux : The Churn

    The typical tools of employee retention — raises, promotions and perks — are unlikely to address the anxiety created by economy and culture.

    Apple on Top Ends The Time Of PCs

    Apple, not Microsoft, not Google, was on top of the technology business mountain. The PC is no longer the center of the computing universe.

  • Why The $35 Tablet Will Never Exist

    The announcement of a $35 Tablet is just a cheap gimmick that works because of the gullibility of the media and the shameless political opportunism.

    The Certification Conundrum

    Developing a technology and getting end user acceptance is just half the battle. Creating the required talent base might be a solution but can companies take the risk?

  • The Working Of A CIO’s Mind

    Prepare to listen rather than sell.Deliver on your promises and stay away from over-committing and you’ll establish a relationship that’s mutually-beneficial.

    Is IT dead?

    Cloud computing has passed from the realm of hype to having a significant impact on businesses.Outsourcing infrastructure & IT has become a way of life at many enterprises.

  • Project Management: Onboarding New Resources

    While it isn't easy to onboard new resources mid-project, here are steps for onboarding the resources quickly and smoothly.

    Blaming Security Vendors Got Old

    One criticism I’ve heard is that too many vendors pitch themselves as DLP providers when their products don’t necessarily fit the label.

Related Contents in ChannelWorld.in