Why bother changing your password?
Last month, DarkReading had an article about how end users’ tend not to choose strong passwords, and indeed have poor password habits, due to their inability to draw a line of correlation between strong passwords and personal security.
End users routinely reject security advice and recommendations for strong passwords and for heeding dangerous Website warnings -- and that behavior makes perfect sense from an economic and psychological perspective, security experts say.
Cormac Herley, a researcher in the Microsoft Research organization, says end users are understandably noncompliant because there just isn't explicit proof that creating a strong password, for example, makes them less likely to have their accounts hacked. "Security people are trained to look for the worst-case analysis, but users don't think that way," says Herley, who emphasizes his opinions are his own and not that of Microsoft. "For example, users are told not to reuse passwords across accounts because if an attacker gets one, [he] might be able to get into their other accounts. But we don't know how often that does happen."
Most security training and advice aren't compelling enough for users to accept them, he says. The approach is telling them to reduce the risk, but "it's an unknown risk," Herley says. "That doesn't seem to be compelling to people."
In another article that I read this past weekend but can now no longer find, some use the argument that the e-security industry lacks the consistent or simple message of the health industry, or the automobile industry. If you smoke, you will get cancer. If you don’t use your seat belt, you are more likely to die in a car accident. In security, the message is convoluted; if you don’t have a secure password, then in the not-all-that-likely that you have your account attacked, it will take an attacker longer to break into your account. But oh yes, there are lots of other things that you have to do as well.
In other words, end users don’t see a direct benefit of implementing all of the security recommendations that experts urge them to do. People also hear a lot about threats and it seems like no matter what they do, there is still a good chance that they will get hacked or have their accounts stolen anyhow. Given that they lack proof that strong passwords work, it’s no wonder that people ignore our security advice.
So what can we do about it? Make things simpler? Sacrifice truth for clarity? It’s difficult to say because the attack vectors are wide.
If end users are then provided hard numbers on the harmful effects of not recognizing phishing URL cues or using and reusing weak passwords, Herley wants to determine whether this would change their behavior. "Does it change things if we give them better reasons [to follow security guidelines]?" he asks. That would mean giving them information on how a strong password reduces their risk by this specific amount, for example, he says.
Schneier says it all depends on incentive: If there's no specific consequence to a user for breaking a security policy, then he isn't likely to change his ways. "Their bonus is not based on security, but whether they get their job done. You get the behaviors you [reward]," he says.
Indeed.
That last line is something I have been preaching internally for a while when it comes to outbound spam. A few months ago I shifted my perspective on how we deal with it. We filter all of our outbound mail and take action on spam. We then open a support ticket to disable the user’s account. If the spam is currently not being marked as spam by our filters, then we mark it as a higher priority ticket than if it is being marked as spam. The idea is that we have to react quickly to spam that we know we are not automatically catching. The difference is in support response time because nobody can be on call to react to this stuff at all times and before we have auto-disablement built in.
I shifted my stance some time ago. Now, I am of the opinion that no matter what our filters say, if someone has mail marked as spam, it should be a high priority action to disable the user’s account. Unless that specific end user encounters a consequence for breaking our security policy, there is no motivation to change their behavior. Changing that behavior is key to stopping outbound spam, whether it is by running up-to-date A/V software, ensuring that software patches are up-to-date, or not leaking one’s username and password to phishers.
Comments
- Anonymous
April 19, 2010
It's certainly true that users need to get better at maintaining and cycling strong passwords. I think the pervasive solution to this is still ellusive to us in the digital world. The reason I believe is based on the reality that 99.9% of people will follow the path of least resistance. This is because they are either lazy/busy/or deprioritise the need as you point out. To get better at this we need to recognise the barriers we put up that get in the way of users having good practice when it comes to personal security. Barriers like choosing a strong password they have to write down to remember versus choosing an easy password they can remember. There is a barrier to using a strong password. Barriers like choosing different passwords for different services that require them to maintain a password list that they won't lose and that they can update over time and is stored securely against all potential circumstances. There is a barrier to using different passwords. Barriers like changing a passwords periodically requiring them to have to update their list and remember how to change passwords on many different services and how long it's been since they last cycled. There is a barrier to changing passwords. Barriers like do I want to signup for a single logon that works on multiple sites, but run the risk of my identity being exposed and subject to use I would not authorise. There is a barrier to using potential solutions to the problem of managing password lists until providers make privacy concerns ultra clear to consumers and develop a pattern of trust. I believe creativity is required to break these barriers down to the point where little or no action is required on the users part. These barriers should be replaced with new barriers that create disincentives for not following acceptable security practices. Anyway, something I think about a lot. My $0.02 worth for you :)