April 13, 2010 at 21:19Microsoft has calculated: changing passwords is not profitable
One of the main safety tips - periodically changing your passwords on different sites - is not correct from the user's point of view.
Cormac Herley, one of Microsoft Research's leading researchers, has published a paper that calculates the relationship between labor and the benefits of changing passwords. It turned out that this procedure, ultimately, is not beneficial for the user, like some other security procedures, writes the NY Times.
Actually, many of the ordinary users feel this on an intuitive level. If they do not have any valuable information, then why waste time and energy on protection. Now Microsoft has officially confirmed this.
Security experts have long been calling for the formation of users and improving their literacy. Hurley argues that this approach is fundamentally wrong.
“Most safety tips simply offer the user an unfavorable cost-benefit ratio,” writes Cormack Hurley. According to him, security measures on many websites are especially stupid. For example, if sites require you to periodically change your password. It is hard to imagine that an attacker who knows the password will wait until the password is changed. That is, in the event of a password theft, its change is practically useless, because if hacking were possible, it would have already occurred.
Hurley believes that some other security measures are also a bad deal for the user, including reading messages in the browser about the expired certificate of the site, when most of these messages are not a threat.
According to a leading Microsoft researcher, ordinary people are forced to take too many steps to protect their own computer. He says that when security measures are not followed, security specialists are used to talking about user illiteracy, but they usually don’t take into account the cost of their time. In their opinion, user time is free. In fact, it is simply not beneficial for people to follow most of these complex procedures.
Hurley gives this calculation: if you take the cost of labor close to the minimum, then one minute a day spent every day by 200 million American users costs society about $ 16 billion a year. This is the price that security experts require for following their procedures. It's too much.
For example, the annual damage to banks from phishing is about $ 60 million. If you force your bank customers to spend at least a few minutes on protection against phishing, then the cost of protection will be ten times higher than the potential damage. These costs are partially borne by the banks themselves, which are forced to introduce new services and provide technical support to users regarding new procedures. As a result, the costs of protection are many times greater than the damage.
Hurley's study was published at a computer security hearing at Oxford University last fall ( PDF ), but a wide discussion among experts on this theory began about a month ago, after an article in TechRepublic .
Cormac Herley, one of Microsoft Research's leading researchers, has published a paper that calculates the relationship between labor and the benefits of changing passwords. It turned out that this procedure, ultimately, is not beneficial for the user, like some other security procedures, writes the NY Times.
Actually, many of the ordinary users feel this on an intuitive level. If they do not have any valuable information, then why waste time and energy on protection. Now Microsoft has officially confirmed this.
Security experts have long been calling for the formation of users and improving their literacy. Hurley argues that this approach is fundamentally wrong.
“Most safety tips simply offer the user an unfavorable cost-benefit ratio,” writes Cormack Hurley. According to him, security measures on many websites are especially stupid. For example, if sites require you to periodically change your password. It is hard to imagine that an attacker who knows the password will wait until the password is changed. That is, in the event of a password theft, its change is practically useless, because if hacking were possible, it would have already occurred.
Hurley believes that some other security measures are also a bad deal for the user, including reading messages in the browser about the expired certificate of the site, when most of these messages are not a threat.
According to a leading Microsoft researcher, ordinary people are forced to take too many steps to protect their own computer. He says that when security measures are not followed, security specialists are used to talking about user illiteracy, but they usually don’t take into account the cost of their time. In their opinion, user time is free. In fact, it is simply not beneficial for people to follow most of these complex procedures.
Hurley gives this calculation: if you take the cost of labor close to the minimum, then one minute a day spent every day by 200 million American users costs society about $ 16 billion a year. This is the price that security experts require for following their procedures. It's too much.
For example, the annual damage to banks from phishing is about $ 60 million. If you force your bank customers to spend at least a few minutes on protection against phishing, then the cost of protection will be ten times higher than the potential damage. These costs are partially borne by the banks themselves, which are forced to introduce new services and provide technical support to users regarding new procedures. As a result, the costs of protection are many times greater than the damage.
Hurley's study was published at a computer security hearing at Oxford University last fall ( PDF ), but a wide discussion among experts on this theory began about a month ago, after an article in TechRepublic .