Passwords and the cost of security

A friend of mine drew my attention to an interesting article on the Boston Globe website which suggests our security advice to users is (literally) a waste of time. The feature was prompted by the claims of a Microsoft researcher who believes that “Most security advice simply offers a poor cost-benefit trade-off to users”. The article raises two important points, one correct and one misguided.

The first point it makes is that advice to users on choosing passwords is bad. Quite right: in my view we’re addressing the wrong problem. It’s not about choosing a single strong password, but managing a bulging portfolio of constantly changing ones. We need better tools to store and retrieve them securely. How difficult is that? Yet after several decades the cupboard is embarrassingly bare.

The second point is that user’s time is money and should therefore be factored into the cost/benefit equation. Wrong: an extra ten minutes of my time costs nothing and earns nothing in real money. It’s simply an irritation. No investment appraisal manager would accept a business case built on such imaginary costs or benefits.

As I’ve pointed out before, there are fundamental flaws in any attempts to quantify the costs and benefits of security. Investing in security is primarily a leap of faith based on an educated guess.