This past week on the Security Now Podcast Episode # 229 prouduced by the TWIT network, Steve and Leo turn everything around to question the true economic value of security advice. They consider the various non-zero costs to the average, non-Security Now! listener. They compared those real costs with the somewhat unclear and uncertain benefits of going to all the trouble of following sometimes painful advice.
I found the episode to be very interesting since we rarely if ever question the advice about passwords and such on the net. Here is an excerpt from the podcast:
Steve: …”that someone would have to fit within a very small window in order to exploit the fact that you had had the same password. So again, the changing it often, the argument against that is that most times the password is going to be captured and probably used quickly. So it doesn’t really matter how long you’ve had the same password. The only place where that would matter would be if a year ago the password were captured and it hadn’t been used until now. So that changing it anytime in that year would have thwarted the attack.
So you could say, okay, that’s dumb. I mean, changing it often is, first of all, a real pain because if you just got comfortable with – it’s like when I lose one of my credit cards because of online fraud, it’s like, oh, I had just memorized the darn thing, and now I’ve got to go memorize it again. So changing your password is very expensive from a user argument, from a user cost, and it’s not really clear. It’s like should you? Yes. What happens if you don’t? Probably not a big problem because the nature of the attack is not using real old passwords. That just probably doesn’t happen.”
I highly recommend the Security Now Podcast for any of you out there who are interested in security.
Honestly i was expecting some new M$ solution to be recommended at the end of this M$ researchers paper.
I agree with some parts, over security like forcing password changes for all users is laughable, 12 minutes to compromise an unpatched computer is laughable.
I would suggest M$ works on making there os a little more secure.
Implying that it is pointless to train users is also laughable. the criminals will go to the easiest money. so giving up on the users will only encourage and then grow the hackers biz.
There are a few good security programs and devices that reduce the need for users being trained. I was surprised that none were not mentioned, oh M$ doesn’t make those. lol
Scott, you make a good point about the article not including a few simple solutions like 3rd party apps. that can at least help bridge the security gap. I was just happy to see someone finally calling out the craziness of different passwords for every single site and rotating those passwords every 6 months because its just not feasible.