Are Passwords a Waste of Time?

Simple answer? No, of course not. Complicated answer? Good question, self, because complicated is part of the problem.

You see, passwords themselves are still fine. It's the constant changing of passwords every few weeks in the enterprise environment that's the issue.

In fact, the constant changing is counterproductive, says a new study from Microsoft Research:

In the paper, [Cormac Herley, a principal researcher for Microsoft Research] describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. - The Boston Globe

Worse still, changing passwords isn't all that effective to begin with, because the practice assumes that the snooper who's just lifted your password is going to wait until you've changed to a new one to use it. Writes Globe editor Mark Pothier, "that's about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door."

Add in the fact that security professionals are always adding additional layers and instructions and complexities to their list of demands, and it's no wonder that users' eyes often glaze over during security training.

Security expert Bruce Schneier suggests circumventing the "time wasted" issue with studies and anecdotal data, as doctors do when they show a direct connection between heart disease and smoking. "If you do this, Mr. User, this will happen" studies are, ironically, something the security industry does not do well, Herley said in his interview with the Globe. Instead, they blanket users with pages and pages of instruction. Eventually, this eats into their productivity. Given a choice between implementing a bunch of new security features that really don't affect them because they don't use stupid passwords and don't click on Nigerian phishing scams, or finishing that TPS report on time, they're going to choose the TPS report.

So, Herley argues, we need more info; less gloom and doom talk; and security pros need to understand that all this education costs users time, while benefiting only that small sliver who actually need to be told 123456 is a bad password. [The Boston Globe]