Curiosity drives me to answer this question not only for me, but my aunt the retired colonel from the US Army was asking me this just the other day. I thought it would be good for me to do some investigating to find out if someone out there may have the same burning desire to know.
Think for a second: How many different passwords have you used today? A new study has concluded what you have been thinking. Changing those passwords, keeping dozens of them in your head for shopping, banking, or logging on at work — all of it is a waste of time. The Boston Globe reports that a principal researcher for Microsoft Research finds that redoing those passwords regularly just doesn’t help much. It’s not that he thinks we should just give up on protecting our computers with passwords. He says the problem is that users are being asked to take too many steps, and more are constantly being added as new threats emerge or evolve. Security professionals have generally assumed that you can’t have too much knowledge in the battle against cyber crime. But a crucial part of the equation is, how much is your time worth?
In fact, the constant changing is counterproductive, says a new study from Microsoft Research. Worse still, changing passwords isn’t all that effective to begin with, because the practice assumes that the snooper who’s just lifted your password is going to wait until you’ve changed to a new one to use it. Writes Globe editor Mark Pothier, “that’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.”
Add in the fact that security professionals are always adding additional layers and instructions and complexities to their list of demands, and it’s no wonder that users’ eyes often glaze over during security training.
Security experts sugest circumventing the “time wasted” issue with studies and anecdotal data, as doctors do when they show a direct connection between heart disease and smoking. “If you do this, Mr. User, this will happen” studies are, ironically, something the security industry does not do well. Instead, they blanket users with pages and pages of instruction. Eventually, this eats into their productivity. Given a choice between implementing a bunch of new security features that really don’t affect them because they don’t use stupid passwords and don’t click on Nigerian phishing scams, or finishing that TPS report on time, they’re going to choose the TPS report.
So, we need more info; less gloom and doom talk; and security pros need to understand that all this education costs users time, while benefiting only that small sliver who actually need to be told 123456 is a bad password.