Password Pandemonium

Too many user names and passwords to remember ...It seems that many people have been heeding admonitions from seemingly everywhere that they should refrain from using the same user name and password for their various online accounts.

“Password creep” has been the result. Just how much so is revealed in a recently published research studied from social web SaaS provider Janrain, in concert with Harris Interactive.

The 2012 Online Registration & Password Study found that nearly 60% of online adults have five or more unique passwords associated with their online logins.

One-third of the respondents report that they maintain 10 or more passwords. And ~10% report having more than 20 individual passwords.

These figures are up significantly from the first Janrain study, which was conducted back in 2006.

Of course, when one considers the myriad of online activities many people engage in, it’s not hard to fathom how the number of passwords per user has become so large.  Consider all of these possibilities just for starters:

  • Retail sites and loyalty programs
  • TripAdvisor, Angie’s List, Yelp! and other review sites
  • Facebook, Twitter and other social networking sites
  • LinkedIn, Career Builder and other career-oriented sites
  • Google, Yahoo and other e-mail/search portals
  • PayPal and other payment, banking and financial sites
  • Hobby sites and discussion boards
  • Personal blogs

And the list goes on …

The Janrain/Harris study also uncovered several interesting findings based on age and gender demographics:

  • Older people (age 55+) are more likely to have a higher number of unique passwords than younger adults.
  • Men age 45-54 report having the highest average number of unique password (~10).

There’s no question that people have heeded the warnings about using passwords that are too easy to “game” … and thus are creating passwords that incorporate a combination of letters, numbers and other symbols.

But the downside is a considerable percentage of people forgetting their passwords frequently. 

In fact, more than one-third of the respondents reporte that they have had to ask for assistance on their user name or password at least once in the past month.

And another thing: The vast majority of people (~85%) dislike being asked to register to access information on a new website.

What did they dislike in particular? Half of the respondents complained about having to create and remember yet another user name and password. And ~45% believe that online registration forms are too long and time-consuming to complete.

Despite the irritations of “password pandemonium,” it’s doubtful many online consumers are going to be changing their behaviors very soon.

One alternative would be to create a few strong, secure passwords that are used across multiple sites but changed regularly.  But to many, that “cure” is no better than the “disease” they have already.

Computer security measures: A whole lot of heat … and very little light?

Cyber-security ... how effective is it in relation to the all the effort?If you’re like me, you have upwards of two dozen sets of user names and passwords associated with the various business, banking, shopping and social media sites with which you interact on a regular or occasional basis.

Trying to keep all of this information safe and secure – yet close at hand – is easier said than done. More often than not, passwords and other information end up on bits of paper floating around the office, in a wallet … or in (and out of) your head.

And to make things even more difficult, if you paid attention to conventional advice, you’d be changing those passwords every 30 or 60 days, making sure you’re following the guidelines regarding creating indecipherable permutations of numbers, letters and symbols so as to throw the “bad guys” off your password’s scent.

Now, here comes a paper written by Dr. Cormac Herley, principal research analyst at Microsoft Corporation, that calls into question how much all of this focus on password protection and cyber-security is really benefiting anyone.

Dr. Herley’s paper is titled So Long, and No Thanks for the Externalities: The Rational Rejection of Security Advice by Users. In it, the author contends that the collective time and effort involved in complying with all of the directives and admonitions regarding computer security add up to far more cost than the cost of what is actually caused by cyber-security breaches.

[For the record, he estimates if the time spent by American adults on these tasks averages a minute a day, it adds up to ~$16 billion worth of time every year.]

Here’s a quote from Herley’s paper:

“We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort. Looking at various examples of security advice, we find that the advice is complex and growing, but the benefit is largely speculative or moot.”

It would be one thing if this screed was written by some outré blogger operating on the fringes of the discipline. But it’s coming from a senior researcher at Microsoft.

To illustrate his point, Herley summarizes the whole area of password rules, which he contends places the entire burden of password management on the user. To wit:

 Length of password
 Password composition (e.g., letters, numbers, special characters)
 Non-dictionary words (in any language, not just English)
 Don’t write the password down
 Don’t share the password with anyone
 Change it often
 Don’t re-use the same passwords across sites

How much value each of these guidelines possesses is a matter of debate. For instance, the first three factors listed above are not consequential, as most applications and web sites lock out access after three or four incorrect tries.

Changing passwords often – whether that’s quarterly, monthly or weekly – is never often enough, as any attack using a purloined password will likely happen within a few seconds, minutes or hours of its acquisition, rather than waiting days. On the other hand, for users to change their passwords regularly requires time and attention … and often leads to frustration and lost productivity as people hunt around for the “last, best” misplaced password they assigned to their account.

And as for those irritating certificate error warnings that pop up on the computer screen with regularity, Herley contends that most users do not understand their significance. And even if they did, what options do people have when confronted with one of these warnings, other than exiting the program?

As it turns out, there’s not much to fear, as virtually all certificate errors are “false positives.” With certificates as well as so many other issues of cyber-security, Herley maintains that the dangers are often not evidenced-based. As for the computer users, “The effort we ask of them is real, while the harm we warn them of is theoretical,” he writes.

Herley’s main beef is that all of the energy surrounding cyber-security and what is asked of consumers is a cost borne by the entire population … but that the cost of security directives should actually be in proportion to the victimization rate, which he characterizes as miniscule.

An interesting prognosis … and a rather surprising one considering the source.