ARE PASSWORDS REALLY THAT DIFFICULT?
When it comes to creating passwords for social networks, business [to a lesser extent] or more alarmingly e-commerce programs, most Web users seem to have gotten lazy. That’s the (not particularly shocking) news last month from Web security firm Imperva, which examined data uncovered in a recent breach of a site called RockYou.com: users are simply continuing to ignore experts’ advice.
Fortunately, or not depending on your perspective, there is no paucity of advice on the subject of password selection and protection offered by computer and information security (CIS) experts and analysts – and even though that advice has been around for even as long as a couple of decades now, it is continually evolving.
And yet there will likely be no changes in users’ behavior even with the recent news of the intrusion into web company RockYou and the subsequent pilfering and posting of approximately 32 million user passwords: security analysts were alarmed to find a continuing trend in password choices: one out of five Web users still decides to leave the digital equivalent of a key under the doormat – they choose simple, weak, easily guessed passwords like “abc123,” “iloveyou” or even “password” to protect their data.
There are even some experts like Cormac Herley, Principle Researcher at Microsoft Research who are suggesting that the burden is just too high for users and that it might be entirely rational to reject the experts advice.
It appears Herley might be correct in his assertion [spelled out in detail in his paper] that statistically the overall costs to all users exceeds the relative benefits to the few who might be harmed, yet none of us would appreciate being counted among the statistical few who are indeed compromised.
Vigilance over our digital data is mandatory and the advice offered by experts is valid, but I agree with the assertion made by Herley that the blame lies not with the pallid behavior of computer users, but rather with the complex and incoherent burdens placed upon individual users. More directly: the blame lies with the security experts and the burdens they place upon us.
In order to fix this apparent hole from an individual users point of view there needs to be a universal solution that is far easier to enact than what is about to follow. The human factor is truly security’s weakest link.