From The Boston Globe | A study has concluded what lots of people have long suspected: Many of these irritating security measures forcing users to change passwords are a waste of time. The study, by a top researcher at Microsoft, found that changing passwords regularly does not stop online infiltration. “Most security advice simply offers a poor cost-benefit trade-off to users,” the author of the study wrote.
Get the full story: boston.com.
Not sure where my first comment went, re-posting.
This article (and the one it links to on Boston.com’s site) is misrepresenting the information.
Here is the actual study (which interestingly is not linked): http://research.microsoft.com/en-us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf
The study is stating from the user’s rationale that frequent password changes (and other steps taken to help mitigate password/account breaches) aren’t worth their time, considering the lack of data available showing otherwise.
…but that’s the point. I would rather not know how quickly my account will be hacked if I don’t change the password – or not know how much money and personal time I would lose if I didn’t have a rigorous enough security practice in place. I would much rather take the costly (by time) route by keeping my password ever-changing and as secure as possible.
Also – for the IT-bashing folks: The study is not talking about internal IT departments (interestingly, IT isn’t even addressed in the study at all) – rather, it is addressing the ‘best practices’ given by the various online resources/sites that people depend on for processing their financial information, purchasing, etc. – - the “cloud”.
But, what’s the alternative? Not giving you any advice or measures to take to protect your password and account? I think not. Leaving you to use ’spring10′ (I probably just guessed 10% of your passwords at work) for as long as you want? C’mon.
If you think it is a waste of time to help protect yourself from identity theft, you’re not doing it right.