Are Passwords a Waste of Time?

Illustration for article titled Are Passwords a Waste of Time?

Simple answer? No, of course not. Complicated answer? Good question, self, because complicated is part of the problem.


You see, passwords themselves are still fine. It's the constant changing of passwords every few weeks in the enterprise environment that's the issue.

In fact, the constant changing is counterproductive, says a new study from Microsoft Research:

In the paper, [Cormac Herley, a principal researcher for Microsoft Research] describes an admittedly crude economic analysis to determine the value of user time. He calculated that if the approximately 200 million US adults who go online earned twice the minimum wage, a minute of their time each day equals about $16 billion a year. Therefore, for any security measure to be justified, each minute users are asked to spend on it daily should reduce the harm they are exposed to by $16 billion annually. - The Boston Globe


Worse still, changing passwords isn't all that effective to begin with, because the practice assumes that the snooper who's just lifted your password is going to wait until you've changed to a new one to use it. Writes Globe editor Mark Pothier, "that's about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door."

Add in the fact that security professionals are always adding additional layers and instructions and complexities to their list of demands, and it's no wonder that users' eyes often glaze over during security training.

Security expert Bruce Schneier suggests circumventing the "time wasted" issue with studies and anecdotal data, as doctors do when they show a direct connection between heart disease and smoking. "If you do this, Mr. User, this will happen" studies are, ironically, something the security industry does not do well, Herley said in his interview with the Globe. Instead, they blanket users with pages and pages of instruction. Eventually, this eats into their productivity. Given a choice between implementing a bunch of new security features that really don't affect them because they don't use stupid passwords and don't click on Nigerian phishing scams, or finishing that TPS report on time, they're going to choose the TPS report.

So, Herley argues, we need more info; less gloom and doom talk; and security pros need to understand that all this education costs users time, while benefiting only that small sliver who actually need to be told 123456 is a bad password. [The Boston Globe]


Share This Story

Get our newsletter


Here is what bugs me about the WHOLE password thing. I've done some programming and login systems, and intentionally store the passwords as a salted MD5 or SHA1 hash. That means that there is NO maximum length of passwords, although there is a minimum length. Yet, I have seen hobbyist boards with maximum length passwords of 40 characters with special characters, while some major financial institutions and bill paying services have a maximum password length of.... 16 letters and numbers only.

Next annoyance.... not specifying the minimum length, maximum length, and what I can and cannot use.

How did I find this out? Following a Lifehacker article, I am using KeePass and have updated all of my passwords. My passwords are now stored in a file on my USB stick, and backed up regularly. Yes, I am somewhat paranoid. Let my co-workers criticize me for having "military-strength" passwords. But, then again, I remember that line from The Incredibles: "Your identity is your most valuable possession. Protect it."