good read: Please do not change your password

[Dave Farber <dfarber () me com>]

Begin forwarded message:

> From: Richard Forno <rforno () infowarrior org>
> Date: April 16, 2010 8:09:04 AM EDT
> To: Undisclosed-recipients: <>;
> Cc: Farber Dave <dave () farber net>
> Subject: good read: Please do not change your password

> I daresay this is the way infosec has evolved in recent years --  allegedly improving computer security by making it 
> so onerous that folks end up embracing bad security practices just to be functional on a basic level.  
>
> I'm an IA person, and *never* wrote down passwords (the mere thought is like nails-on-chalkboard to me) until I got 
> involved in some projects that had password requirements of 8-12 chars, alphanumeric, one capital letter, one lower 
> case letter, one number, and one special character with lifetimes of 45-90 days. (I wonder if Post-It sales showed a 
> marked increase once such horrendously-abusive password requirements became popular.)  When you had multiple such 
> passwords that were different, at some point you just give up.  Ergo, security requirements with the best of 
> intentions become security vulnerabilities created by the users in response to obstacles they face in acheiving basic 
> productivity.
>
> Interestingly, the article highlights a very much overlooked aspect of infosec that I bring out whenever possible to 
> my students --  "For too long, users have been asked to follow security instructions without being told why they are 
> worth the time investment."  How very true.
>
> -rick
>
>
> http://www.boston.com/bostonglobe/ideas/articles/2010/04/11/please_do_not_change_your_password/?page=full
>
> Please do not change your password
>
> You were right: It’s a waste of your time. A study says much computer security advice is not worth following.
>
> By Mark Pothier
> April 11, 2010
>
> To continue reading this story, enter your password now. If you do not have a password, please create one. It must 
> contain a minimum of eight characters, including upper- and lower-case letters and one number. This is for your own 
> good.
>
> Nonsense, of course, but it helps illustrate a point: You will need a computer password today, maybe a half dozen or  
> more — those secret sign-ins that serve as sentries for everything from Amazon shopping carts to work files to online 
> bank accounts. Just when you have them all sorted out, along comes another “urgent” directive from the bank or IT 
> department — time to reset those codes, for safety’s sake. And the latest lineup of log-ins you’ve concocted won’t 
> last for long, either. Some might temporarily stay in your head, others are jotted on scraps of paper and stuffed in 
> a wallet. A few might be taped to your computer monitor in plain view (or are those are from last year’s batch? Who 
> can remember?).
>
> Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a 
> waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly 
> computer attacks often exact a much steeper price in the form of user effort and time expended.
>
> “Most security advice simply offers a poor cost-benefit trade-off to users,” wrote its author, Cormac Herley, a 
> principal researcher for Microsoft Research.
>
> Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, 
> users are admonished to change passwords regularly, but redoing them is not an effective preventive step against 
> online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it 
> until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and 
> then waiting until the lock is changed before sticking it in the door.
>
> Herley also looked at the validity of other advice for blocking security threats, including ways to recognize 
> phishing e-mails (phony messages aimed at getting recipients to give up personal information such as credit card 
> numbers) and how to deal with certificate errors, those impossible-to-fathom warning messages. As with passwords, the 
> benefits of these procedures are usually outweighed by what users must do to carry them out, he said.
>
> It’s not that Herley believes we should give up on protecting our computers from being hijacked or corrupted simply 
> because safety measures consume time. The problem, he said, is that users are being asked to take too many steps, and 
> more are constantly being added as new threats emerge or evolve. Security professionals have generally assumed that 
> users can’t have too much knowledge in the battle against cyber crime. But that fails to take into account a crucial 
> part of the equation, according to Herley: the worth of users’ time.
>
> “A lot of advice makes sense only if we think user time has no value,” he said.
>
> The study was first presented by Herley at a security workshop at Oxford University last fall, and began generating 
> wider discussion last month after an essay about it appeared on TechRepublic, a popular technology website.
>
> In the paper, Herley describes an admittedly crude economic analysis to determine the value of user time. He 
> calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of 
> their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute 
> users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. It’s a high 
> hurdle to clear.
>
> Herley’s paper gives “normal users a voice,” said Michael P. Kassner, a technology writer and IT veteran who wrote 
> the TechRepublic piece. For too long, users have been asked to follow security instructions without being told why 
> they are worth the time investment. “I’ve been a proponent of prioritizing” security measures, Kassner said. “The 
> whole purpose of IT is to make people’s lives easier.”
>
> The computer security community has long puzzled over why so many users fail to snap to attention when alerted to 
> news about the latest threats, such as viruses, worms, Trojan horses, malware, and spyware. At countless conferences 
> and seminars, experts have consistently called for more education and outreach as the answer to user apathy or 
> ignorance. But the research of Herley and others is causing many to realize most of the blame for noncompliance rests 
> not with users, but with the experts themselves — the pros aren’t able to make a strong case for all their 
> recommendations.
>
> Some advice is excellent, of course. But instead of working to prioritize what efforts are effective, government and 
> security industry officials have resorted to dramatic boldface statements about the horrors of poor passwords and 
> other safety lapses, overwhelming the public. For instance, the federal government’s website for computer safety 
> tips, www.us-cert.gov, includes more than 50 categories under the heading of “Cyber Security Tips.” Each category 
> leads to complex sets of instructions.
>
> “It’s nice to see the industry starting to grapple with these issues,” said Bruce Schneier, the author of “Secrets 
> and Lies,” a book about computer and network security. In a blog posting last year, Schneier recalled a security 
> conference at which a speaker was baffled by the failure of workers at his company to adhere to strict computer 
> policies. Schneier speculated that the employees knew following those policies would cut into their work time. They 
> understood better than the IT department that the risks of not completing their assignments far outweighed any 
> unspecified consequences of ignoring a security rule or three. “People do what makes sense and don’t do what 
> doesn’t,” he said. To prompt them to be more rigorous about computer protection, he said, “You want actual studies, 
> actual data.”
>
> That poses a challenge for the security industry, Herley said. While doctors can cite statistics showing smoking 
> causes cancer, and road-safety engineers can produce miles of numbers supporting seat belt use, computer security  
> professionals lack such compelling evidence to give their advice clout. “Unbelievable though it might seem, we don’t 
> have data on most of the attacks we talk about,” he said. “That’s precisely why we’re in this ‘do it all’ approach.”
>
> His paper argues for advice that incorporates more information, and less hyperbole. Security professionals need to 
> consider that user education costs everyone (in time), but benefits only the small percentage who are actually 
> victimized, he wrote. Advice must be based on an estimate of the victimization rate for a particular security issue, 
> not a worst-case scenario risk analysis. It’s a start to quantify in a rough way the value of user time, he said, but 
> more study is required. The central question that remains to be answered: Given all the threats, what steps produce 
> results that outweigh the price for society at large?
>
> Costs can come in unexpected ways, he suggests. One example he studied was phishing. Banks and other investment 
> companies often guarantee to reimburse customers if unauthorized withdrawals are made from their online accounts, so 
> the customer does not pay a direct price. The banks face losses, but they are relatively modest — the annual cost 
> nationwide as a result of phishing attacks is $60 million, Herley estimated. By instructing users to take measures 
> against them (such as by scouring URLs to make sure they lead to legitimate websites), “we’re imposing a cost that is 
> orders of magnitude greater than the problem it addresses,” he said.
>
> For banks, the greater potential for damages comes not from a phishing attack itself, but indirect expenses. Herley 
> used Wells Fargo as an example. He wrote that if a mere 10 percent of its 48 million customers needed the assistance 
> of a company agent to reset their passwords — at about $10 per reset — it would cost $48 million, far surpassing 
> Wells Fargo’s share of the $60 million in collective losses.
>
> No one is saying computer security threats are not a serious matter. Attacks multiply daily and are becoming more 
> effective, having risen far beyond the sophistication level of the Nigerian prince looking to unload $12 million. 
> Check your in-box — within the last few hours a criminal probably sent you an invitation to be victimized. Herley’s 
> paper cites a report that said an unprotected PC will be invaded within 12 minutes of being connected to the 
> Internet, on average. And last month, Justice Department Inspector General Glenn A. Fine warned the government isn’t 
> keeping pace with cyber crooks in its efforts to combat the fastest-growing crime in the United States — identity 
> theft. About 10 million Americans are affected each year.
>
> With all that scary stuff in mind, it is easy to appreciate the sincerity of those pushing us to be more vigilant, 
> even if their methods are muddled.
>
> So which security measures offer a reasonable return on time and effort? Although coming up with a sensible list of 
> security actions was not a goal of Herley’s research, he does have some suggestions based on personal experience. 
> Start with bullet-proof passwords, he said, even if your employer requires you to periodically reinvent them or use 
> too many (he juggles about three dozen as part of his work). Beyond that, he is big on one-time measures that offer 
> ongoing benefits, like installing the latest software to shield against viruses and spyware (set it to automatically 
> update). Two-thirds of computers have outdated software protection, according to a Microsoft spokesman. The company 
> also recommends activating a firewall, which “functions like a moat around a castle.” Combined, such measures 
> shouldn’t take more than 30 minutes, it said, and offer insulation from what is perhaps the biggest security menace 
> of all: users.
>
> “One of the main ways people get compromised is that they open the door to an attacker themselves,” said Herley. 
> Someone might load software promoted as offering protection when it is actually spyware in disguise, he said, or they 
> “open an e-mail attachment with a malicious payload....If this happens, it can be very bad. A piece of malicious 
> keylogging software on your machine can grab all of your passwords: It makes no difference at that point whether they 
> are strong or weak.”
>
> After all this trash talk about security, you might wonder what Microsoft chief executive Steve Ballmer thinks about 
> one of his key researchers challenging much of the advice the industry giant dispenses like gospel. Herley insists 
> there has not been any blowback. Microsoft encourages its researchers to “push against fixed beliefs, even when some 
> of the ideas can be controversial,” he said. And from outside Redmond, Wash., he added, “the reaction has been 
> tremendous.”
>
> “Maybe I’m just saying out loud what is rather obvious — we seem to be causing lots of unnecessary misery.”
>
> Mark Pothier is the Globe’s senior assistant business editor. He can be reached at mpothier () globe com. 
>
> © Copyright 2010 Globe Newspaper Company.



-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com