Thursday, April 15, 2010

Another truism transitions to falsism

I've been in Information Technology as a computer programmer for close to 30 years.  I've seen fads come and go. (Hey!  Anyone remember Easel?  It was the next great thing back in 1991.)  I've also seen every manifestation of over-the-top system and computer security.  It seems that security administrators have learned that if you don't let anyone do anything, nothing will break.  Of course, nothing will be accomplished, either.

One of the truisms of computer security for the past decade is the importance of "strong" passwords that expire within short intervals -- some say 6 months, some a year.  My company says 3 months.  I hate it.

Why the hatred?  It's not bad enough that I have to change my password every 3 months.  No, the really irritating part is that I have to go to HQ to change it.  This means I have to schedule time off from the client site (which I usually make up by working til the dark hours) just to perform this meanial and -- we learn now -- pointless task.
You were right: It’s a waste of your time. A study says much computer security advice is not worth following.
[...]
Many of these irritating security measures are a waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly computer attacks often exact a much steeper price in the form of user effort and time expended.

“Most security advice simply offers a poor cost-benefit trade-off to users,” wrote its author, Cormac Herley, a principal researcher for Microsoft Research.

Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
I knew it!

I always suspected that changing passwords was a complete waste of time. And now it's official.

You can bet that my next new password will contain an editorial message. Bank on it.

*------------------------------------*
*------------------------------------*