A new study commissioned by Microsoft is showing the futility of constantly changing your passwords. It is a common security feature in numerious organizations that passwords, strong passwords and regular password changes are not only well known but common.
Now, a study has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly computer attacks often exact a much steeper price in the form of user effort and time expended.
The reality is that stolen passwords and the damage done with those accounts are estimated to cost IT many billions of dollars a year. This staggeringly huge number makes a lot of businesses start to create policies to prevent those stolen passwords as much as possible. The problem with password change policies is that research shows people who steal your passwords are not going to wait around for you to be able to change it before they use it. Generally speaking the damage is done shortly after your password has been stolen. Changing your password even once a day is unlikely to stop the damage caused by a stolen password.
Quite honestly a regular password change policy can be counter productive as many of us can attest to. If the passwords need to be changed we still need to be able to remember those passwords. This causes people to start picking easy to remember passwords, using a system that might be easily guessable or worst case, writing the password down on a sticky note and posting it on the computer.
For businesses the point that needs to be grasped here is the appearance of security doesn’t actually mean you are secure. Often the opposite is true.
A more sobering fact that might make those who are still unconvinced more aware of the financial cost of wasting peoples time without security benefits. A paper was presented at a security workshop at Oxford University last fall. This paper used some crude economic analysis and a little bit of basic math to estimate the worth of a users time. Based upon the approximately 200 million users who go online in the US each day. If they each earned twice the minimum wage, a minute of time from each of them per day costs $16 billion dollars a year.
That is certainly a sobering number. The biggest problem that exists with security time sinks is that the damage is not easily expressed in dollars. Its actually expressed in getting less done, having people who are less happy in their jobs. Or again, really decreasing the overall security because someone decided to cut a corner.
IT is really suppose to make peoples lives easier. Far too often we react and make peoples live far more difficult in the name of security. Business owners, keep this in mind, always try to find out the true cost of security before you setup a policy that doesn’t actually make us any more secure.