Tuesday, May 19, 2009

Passwords and Externalities

This story on NPR about the proliferation of passwords and software products to help you keep track of them, along with a recent threatening e-mail from the computer folks at OSU promising to cut off my access to e-mail if I do not change my password within 7 days got me thinking about the ridiculousness of passwords.

I am deliberately lazy with my passwords, I choose simple, easy to remember and closely related passwords - precisely what the IT folks hate.  Well, come on, just what is the probability that: one, someone will take the time to try and hack my e-mail; two, that if they do they will get anything at all of any use for anything; and three, that they will then try and figure out other accounts I have to do something that is profitable to them and harmful to me?  Practically zero.  What is the cost to me of trying to keep track of all these complicated passwords? Very high.  In fact what you end up doing is writing them down (big no no to the IT types) or using one of these programs that keep them for you under a single password.  So the whole endeavor is wasted anyway.

No, I am convinced that the only reason I have to do this is because it is convenient for the IT folks to make me jump through hoops.  Why?  Well, just one whiny OSU professor (of the hundreds they serve) that has had his e-mail hacked into is a huge headache for them, and the probability of one in hundreds having problems is much higher then my individual probability.  On the other hand, they don't have to pay any of the cost of making all of us change our passwords all the time.  So in their desire to avoid some extra work, they quite gladly impose an external cost on all of us.  

Which of course calls for us to create rules that limit passwords ridiculousness.  Why don't these happen? Probably because the IT folks have us over a barrel.  We have no idea what they do and why, and could not possibly do it ourselves, so we are afraid of annoying them.  Imagine the pain and suffering they could cause.  

So change our dang passwords we do - curse you IT devils!


Gray said...

I'm reminded of when I was a public school teacher, and the district instituted a policy that teachers had to (1) have sufficiently good passwords with letters and numbers, and (2) change them every 90 days. Well, I had a base that I would then change one number on each time, but most responded by putting a note somewhere with the password.

So instead of having to crack a password, all someone (a student, say) had to do to get access to many teachers' grading records was pull out a drawer and copy down a password. Much safer!

There are rules that definitely help: making sure people don't use dictionary words, mandating a mix of numbers and letters, maybe making people change them every so often. But I don't believe that making people change passwords every 90 days really helps at all. In fact, it may make things worse.

Dann Cutter said...

Trust me when I say that the time taken in assisting users reseting forgotten (and helping change) passwords far exceeds the time taken fixing the common number of user's hacked accounts. There is a real cost associated with both sides of the security issue - we choose in fact the higher cost, as when the inevitable happens, we can show best practices instead of abject neglect in hopes of mitigating liability (i.e. the Harvard/Yale enrollment debacle a few years back).

There is an incentive to hack machines, without going into detail, it creates a free tool to increase market exposure for XYZ. What is XYZ, generally some scam which would be blocked by other means. Pretending to be a colleague is very beneficial. Given the time and effort it takes to hack, this is fairly profitable.

Users are commonly lazy on passwords. A little forethought, and your password will be easy to remember, and likely far too complex to ever be hacked. However, that being said, little forethought is ever given. I spend more time than my supervisor cares to know fixing passwords for folks who have substantial value in confidential student or research data that they have spent less than five minutes protecting. Need for security is the oft overlooked eventuality of connectivity. In one building I work in, I need a badge and a FBI background check to walk through the door... but I pickup their wifi network in the parking lot.

That being said, recently the university instituted a password change I argued against - well, against how it was implemented. The change was LONG overdue from an IT standpoint, but the University tends to create these unfunded mandates to the departments, expects the departments to staff the issue, and then cut funding. I recently spent over 20 hours on a security issue, and then walked into my review with no sleep to hear my supervisor talk about how (given the cuts in previous 'good' years funding to training, travel) the only think left to cut next year were my and my assistant's staffing levels though we already make <80% of market. (if anyone ever wonders why I will leave the glory of high tech admin for that of a low paid civil DA with tons of law school debt - it looks preferable!)

So... change your passwords everyone, and be glad it is so easy. Some admins make them be 15 characters and unable to be repeated in part at all. Use rhythms, use tricks, use whatever is needed. I use the site to guide me... i.e. google sounds like ogle, which then leads me to what men ogle... appending to the end how many of them there usually are. And crap, now I need to go change my password. :-)

Patrick Emerson said...


I was counting on you to chime in and speak up for all the belagured IT folks in the world. You did not dissappoint. Your point is well taken. Network security is only as good as the weakest link, so make sure and get the weak links to bolster security. What I tend to focus on is my personal data, not the network.

By the way, I love my IT helpers! Did you all hear that? You are the best!

Stacy said...

> By the way, I love my IT helpers! Did
> you all hear that? You are the best!

Really? You have a funny way of showing it.

> No, I am convinced that the only reason
> I have to do this is because it is
> convenient for the IT folks to make me
> jump through hoops.

Do you really think that's how we spend our day, coming up with ways to make you waste your precious time? Let me tell you about what happens to OUR precious time when a password is compromised, specifically an email account password.

- The compromised account is used to send spam, usually the pill-hawking penis enhancement kind. If we're really unlucky it's the disgusting porn spam kind.

- Because the spam originates from our mail relays, other ISP and email services block OSU's email.

- Then, someone from Network Engineering has to spend THEIR precious time contacting every single ISP that has blocked us and request that our mail relays be removed from their mailing list.

> On the other hand, they don't have to
> pay any of the cost of making all of > us change our passwords all the time.

And changing your password once a year takes what, 60 seconds of your time?

Perhaps you should spend a moment to contact the email system administrator to inquire WHY this change is being implemented. I'm sure his response will be enlightening -- the goal is to consolidate logins across campus. Which, amazingly, will save your oh-so-precious time in the long run.

Patrick, I've been a long time reader and have enjoyed your blog immensely. Unfortunately, this is a case where you're talking about something you know very little about.

Patrick Emerson said...


My attempt at ironic humor clearly fell flat. My apologies, I did not mean to offend - I just tried to engage in some good natured joshing.

Yes, I am blissfully uneducated of what I speak. My attempt was to show how individual incentives can be quite different than group incentives thanks to externalities. I decided to only show my persepctive because I had a feeling I could prod Dann into responding (which he did). But the truth is that the externalities work both ways: my compromised e-mail account is a minor drag for me but huge headache for the network administrators and all the folks who receive the penis enhancement e-mails. Which is precisely why it is so hard to get us nincompoops to use real passwords! The marginal cost is high but the private marginal benefit is low.

I promise I shall never complain of password fatigue again! Really! I swear!

Did I mention how much I love the people who work tirelessly to make my internets work so well? It's true!

Anyway, I am sorry I touched a nerve and thank you for putting me in my place. Please don't turn off my e-mail...

FallPurple said...

Stacy said so much, so clearly, and so succinctly, that there is little I can add. And yes, Prof. Emerson, I did detect the irony in your tone. What I can say most of the security practices IT departments impose on their customers (users) are imposed on IT departments by auditors and governance committees. I have seen one IT manager (not me) fired for failing an audit.

Governance and audit standards come from a variety of sources (SOx, CoBIT, HIPAA, ITIL), and impose a number of behaviors on IT departments. While many of these behaviors are positive and worthwhile, all IT practitioners know that a number of these behaviors and practices are performed simply to fulfill an audit requirement while providing no discernible benefit to the organization. Does anybody really believe the BofA Sitekey image (anti-spoofing technique) really prevents spoofing of their site? (Every heard of man-in-the-middle attacks?) BofA has bigger security holes to plug, but they got that one item off their checklist.