As someone who is nerdily proud of her ability to remember dozens of passwords, I was interested to read a Microsoft study which says that changing your password frequently – something that people in offices and other organizations often find themselves obliged to do – might not actually be necessary.
So, how did the researchers come to this daring conclusion? Well, they maintain that computer users in general have a bad reputation for security. They use crappy passwords, forget to change them and ignore security certificate warnings. So, can we conclude that most people are stupid? Not so say the Microsoft researchers – people don’t care because the relative advantage is so small. In other words, it’s just not worth the effort:
We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice we find that the advice is complex and growing, but the benefit is largely speculative or moot. For example, much of the advice concerning passwords is outdated and does little to address actual threats, and fully 100% of certificate error warnings appear to be false positives. Further, if users spent even a minute a day reading URLs to avoid phishing, the cost (in terms of user time) would be two orders of magnitude greater than all phishing losses.
It would be hard to claim that good security practice wasn’t a pain in the neck at times, especially in situations where you use multiple passwords or have to change them frequently. Checking all those security certificates and examining unknown emails for signs of phishing can be boring – not to mention making you feel a little paranoid. So, does that mean that we should abandon them?
Absolutely not! As I read in one blog post comment, most people don’t get into car wrecks, but the vast majority of us wear seatbelts. Ok, so the precise dangers of riding in a car are well documented – and the dangers faced by computer users unfortunately aren’t – but basic, low-level computer security isn’t a chore at all. A password manager here, a glance over website security information there and you’re done.
Sure, Windows’ incessant “would you like to change your password?” messages are irritating, but that’s your employee’s prerogative, not yours. Sorry for being a party pooper, but if your company gets hacked or a disgruntled employee accesses sensitive information, you can be fairly sure the money it takes to repair the damage isn’t coming out of your payslip. Until it is, I’m afraid you’re just going to have to change your password when Vista tells you to!
