Study: Computer Security Measures Not All Worth It
MICHELE NORRIS, host:
Before we leave the Internet universe, let's spend some time considering the password, since they're often the gateway to the Web.
How many passwords do you have - two, four, more than that? Do some require a certain amount of characters, while others mandate that the password must contain at least one number?
Well, a new paper by a researcher at Microsoft argues that the obsession with passwords is a giant waste of time and a giant waste of money.
We're joined now by Mark Pothier. He's the senior assistant business editor at The Boston Globe.
Welcome to the program.
Mr. MARK POTHIER (Senior Assistant Business Editor, The Boston Globe): Thank you.
NORRIS: Explain to us what this Microsoft researcher Cormac Herley is saying -this idea that this is all just a waste of time.
Mr. POTHIER: Well, he started with the premise that the more advice that someone could give a computer user about security, the better. But then he quickly realized that that didn't take into account the value of the user's time. So he did some calculations and figure out that our time is worth a lot, so the more steps that we're asked to take to secure our computers, the more expensive it is.
NORRIS: So is he saying that we should have just one password, almost like our Social Security number, and just use it over and over again whether it's for our bank account or our personal login at work?
Mr. POTHIER: Well, he's not saying that. He's just saying that you should have a strong password. If you work for a company and you're required to constantly change it, well, of course, you need to abide by those rules. But that some of the things we're told are not really valid.
The example that he used is if you change your password and someone steals it, that's really only an effective measure if the person waits until you change your password again before they use it. The example I use, that is about as likely as a criminal stealing your house key and then waiting until you change the locks before they stick it in the door. So it's sort of a waste of time.
NORRIS: He seems to be saying that if you let these bad things happen every now and again, that that would be less expensive than all the time that we spend trying to keep our passwords up-to-date.
Mr. POTHIER: Yes, he is saying that. He came up with a calculation that one minute of the collective user time each day equals about $16 billion a year. So anything that we do should reduce the harm, collectively, by $16 billion annually. And that's a high hurdle to clear.
So what he's advocating for is that the security professionals come up with some way to prioritize and explain to users you should do these three things, if you do nothing else, because it will offer you the most protection.
NORRIS: You know, anyone who's listening to this who's been a victim of computer theft or cyber stalking might be thinking that all this is a little bit soft-headed. If anything, more protections are needed, not less.
Mr. POTHIER: Right, but the problem with that is the level of sophistication of computer security attacks increases daily, and therefore, the instructions we get increase daily. And at certain point - just to get your work done or even to go online and buy something from Amazon - at a certain point, the user just sort of gives up and says I'm just going to do this; I'm going to use the same password on every site.
So, in effect, by giving people more things to do, you almost encourage them to become less safe by doing things like use the same password over and over, or write it down, stick it on the computer. Or even worse, create a document on your computer that says This Is My Password.
NORRIS: Mark Pothier, thanks so much for speaking with us.
Mr. POTHIER: Thank you, Michele.
NORRIS: Mark Pothier is a senior assistant business editor at The Boston Globe.
NPR transcripts are created on a rush deadline by a contractor for NPR, and accuracy and availability may vary. This text may not be in its final form and may be updated or revised in the future. Please be aware that the authoritative record of NPR's programming is the audio.