Are passwords a waste of time?

Bob Bragdon takes on the notion that strong passwords and most other security controls make employees less productive

I apologize up front for jumping into this debate, but I couldn't resist. Not a week goes by, or so it seems, without some newspaper, magazine or TV show (apologies to my media brethren) lambasting security and IT professionals because they force unnecessary security controls on the poor, downtrodden consumer or worker. It's as if your security requirements are designed to make everyone's life miserable with little or no benefit. You evil CSOs! My heart bleeds for the poor peasants whom you oppress.

Last month, for example, the Boston Globe examined a Microsoft Research study that concluded, according to the article, that "many of these irritating security measures are a waste of time." I can certainly relate to that. I'm annoyed every time I need to enter my 15-character complex password, which I must do several times a day in the office and even more often when I'm traveling. I'm annoyed every 90 days when I have to come up with a new complex password that can't be the same as one I've used any time in the past 20 years. But I also recognize that simple passwords--pet's names, children's names, and so on--are easily broken. And I realize that there are other sides to this argument.

Also see Ira Winkler on security awareness training

When we discuss whether security measures are worthwhile or not, we need to consider the point of view from which we examine the issue. Often it's the user's point of view, so the focus is on all the time they spend entering long passwords or navigating security controls, which results in millions of hours of lost productivity. I buy that.

What I don't buy is that most workers would be significantly more productive if freed from these controls. End users, whether bank customers or your own employees, are by far the weakest link in the security chain. Let's not kid ourselves: Security controls are more about protecting the business than the individuals themselves.

I can already hear the outcry that would arise if a company opted to use simple passwords and ultimately had a data breach (safe bet). The lawyers, as they filed their class-action lawsuits, would be asking why complex passwords weren't required. The media (with all due deference) would paint a picture of an uncaring corporate behemoth. Shame on the CEO. Please, give me a break.

This argument isn't about the cost-benefit trade-off of time versus security. It isn't about the end user's productivity or inconvenience. It's about protecting the business's reputation and reducing risk.

I give Cormac Herley, the Microsoft researcher who conducted this study, a lot of credit for really looking at the issue. It's these deep dives that get us all talking about what we do to protect our secrets. I just hate when the real message gets lost in the headline in the local paper. By the way, the headline for the Globe article was "Please do not change your password. You were right: It's a waste of your time. A study says much computer security advice is not worth following."

Enough said?

Join the CSO newsletter!

Error: Please check your email address.

Tags securitypasswordsauthentication

More about Microsoft

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Bob Bragdon

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts