Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Users Rejecting Security Advice Considered Rational

kdawson posted more than 4 years ago | from the no-thanks-for-the-externalities dept.

Education 389

WeeBit writes "Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process." Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).

cancel ×

389 comments

Sorry! There are no comments related to the filter you selected.

Wasted time (5, Insightful)

Ethanol-fueled (1125189) | more than 4 years ago | (#31501726)

Average Joe User is cheap and lazy, that's a given. TFA:

Users understand, there is no assurance that heeding advice will protect them from attacks.

What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.; if not bothering or paying somebody else to do it. I'd been toying aroung with Linux and Unix for years for business and personal use, but I finally switched for good when I realized that I was wasting more time with Windows than I would with a *NIX O.S.

Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer.

Would Linux be more safe if it had greater than or equal to the market share of Windows? Is any home O.S. really safe as long as the user keeps clicking "yes" or "ok"? That's a whole other debate. The fact is that Linux, now, is much less of a hassle than Windows.

Re:Wasted time (2, Funny)

PakProtector (115173) | more than 4 years ago | (#31501762)

eaten CPU cycles,

Sorry, what's that? Can you speak a little louder? I can't hear you over the sound of all the wasted cycles my Phenom II X4 965 Black Edition is generating. It's a lot.

Re:Wasted time (2, Funny)

Ethanol-fueled (1125189) | more than 4 years ago | (#31501796)

Yeah, but...can it run Norton 360 4.0 without dropping any frames?

Re:Wasted time (1)

rennerik (1256370) | more than 4 years ago | (#31501818)

Yeah, but...can it run Norton 360 4.0 without dropping any frames?

No

Windows Joke (3, Funny)

Anonymous Coward | more than 4 years ago | (#31501804)

Why do Employees like Microsoft Windows?
Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.

Why do Managers like Windows?
Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware. With all this no Employee could remote login to their system and slow down the Screen Saver. Because the Manager wanted to find out if the Cast-away escaped from the island.

Re:Windows Joke (5, Funny)

Anonymous Coward | more than 4 years ago | (#31502564)

Why do Employees like Microsoft Windows? Employees like Microsoft Windows because they can have an excuse to be by the water cooler while the Technician re-installs their OS for them.

Why do Managers like Windows? Windows allowed them to have the latest and greatest in computer hardware, largest hard drive, most memory, fastest CPU, and other new hardware. With all this no Employee could remote login to their system and slow down the Screen Saver. Because the Manager wanted to find out if the Cast-away escaped from the island.

1992 called. It doesn't want these jokes back, and says you can keep them.

Re:Wasted time (1)

Goldberg's Pants (139800) | more than 4 years ago | (#31501810)

Torrenting has nothing to do with it that's for damn sure unless you start downloading random EXE files and running them, and not doing that is just common sense. I think you need to draw a distinction between intelligent torrent users and fuckwits.

It's about intelligence. I don't run any anti-malware software beyond a small program that tells me when something is added to startup, services etc... (Even the hidden stuff we're not supposed to know about.) And that's it. In the last seven years I've had one incidence of something getting through and it was relatively painless to fix.

I used Linux for years and would routinely have to fight with the graphics driver, stuff would randomly stop working... Also I'm a gamer, WINE just doesn't cut it, and the fact is Linux just doesn't do what I need a lot of the time so I stopped using it.

Re:Wasted time (4, Insightful)

IamTheRealMike (537420) | more than 4 years ago | (#31501844)

If you're torrenting pirated apps isn't that exactly "downloading random EXE files and running them"? It's not like the people producing the cracked versions are liable if there are problems. You don't even know who they are. And with an 80% miss rate on commercial AV products, there's really no guarantee that these things are clean. BTW your Windows anti-malware solutions sucks, a lot of bots/droppers these days are protected with something like hacker defender which isn't going to trigger any startup monitoring tool.

Re:Wasted time (1)

Yvan256 (722131) | more than 4 years ago | (#31501924)

You're assuming that torrents equals software. There's a lot of media available via torrents, such as Relics of the Chozo [ocremix.org] .

Re:Wasted time (1)

ls671 (1122017) | more than 4 years ago | (#31502138)

Some media file can pop up a browser window to an infected site that will install malware on your computer especially if you use older software versions.

There was even gif and jpeg exploits made public in the past, it probably occurred with other media files as well...

http://isc.sans.org/diary.html?storyid=2997 [sans.org]

http://news.netcraft.com/archives/2004/09/17/exploit_for_microsoft_jpeg_flaw_is_published.html [netcraft.com]

Re:Wasted time (1)

Maxo-Texas (864189) | more than 4 years ago | (#31501926)

If you are the first person-- sure.

But after 15 or 20 people post "it's clean as far as I can tell" then no.

Likewise, if the first person posts "this ate my machine" or "my virus scanner detects "BLAH" in this" then it's not safe.

I've only used RAR type programs personally. Everything else I use is free (as in beer) except Dragon Dictate which is reasonably priced for what it does so I buy it periodically. Someday there will be a free text recognition program (that WORKS at least as well with Openoffice) and I'll be done with DD.

Re:Wasted time (1)

Ethanol-fueled (1125189) | more than 4 years ago | (#31502008)

But after 15 or 20 people post "it's clean as far as I can tell" then no. Likewise, if the first person posts "this ate my machine" or "my virus scanner detects "BLAH" in this" then it's not safe.

What if the posters are just shills who want people to download their malware? What if the alarmists are RIAA shills who want to discourage people from downloading? What if the alarmists are naive or if their software throws false positives? I frequently see a lot of back-and-forth arguments in the comments sections of TPB torrents. The fact is that you have only your gut to trust, as even your malware scanner may miss it.

Re:Wasted time (1)

Maxo-Texas (864189) | more than 4 years ago | (#31502198)

I see your point on a public site.

It doesn't apply on a closed community invitation only site.

Re:Wasted time (2, Funny)

Shadow of Eternity (795165) | more than 4 years ago | (#31502020)

Find a torrent that DOESNT have about a 50/50 to 60/40 split of "VIRUS!!111" and "AWESOME!!11" posts.

Re:Wasted time (4, Insightful)

IamTheRealMike (537420) | more than 4 years ago | (#31502052)

OK so this is how it works. There are websites out there like these [krebsonsecurity.com] which allow you to quickly check your newly infected EXE against all the main AV products out there. Signature based AV is basically obsolete because there are lots of programs out there that will happily scramble your EXE for you, in the scene these are known simply as "crypters" and you will find many people in the PPI world advertising their crypter as being FUD (fully undetectable). Good article on this here [secureworks.com] . Of course with enough downloads eventually somebody savvy will catch on, unless your work is really good, and then your binary and uploading IP address are usually banned. At which point they do exactly what you'd expect - spin a new binary, get a new IP address and do it all over again.

If you're relying on only 15-20 other downloaders to certify something as "clean" and you regularly download warez you probably already have a rootkit on your system and have no idea it's even there.

Re:Wasted time (1)

Maxo-Texas (864189) | more than 4 years ago | (#31502272)

I recognize the risks you are talking about. You can never eliminate it (heck- even commercial software and hardware is caught installing virii). The same applies to open source, firefox plugins, etc.

The only reliable risk mitigation is waiting a few months, then checking it again.

I've had one virus ever. That was on my Amiga.

"Something wonderful is happening"
"Your Amiga has come alive!"

Friends told me "bullshit", "no way" for at least a few weeks until someone else saw the screen and it became common knowledge it was out there.

My main way of security outside of the cool down and rescan is the machine's fire wall and looking at the lights on the modems and router.

I use Avast and AVG virus scanners.

They've detected a grand total of 3 viruses in the last 5 years. I simply deleted the items.

Re:Wasted time (1)

maxume (22995) | more than 4 years ago | (#31502062)

Do you mean WinRar? 7-Zip pretty much matches it for features.

Re:Wasted time (1)

Maxo-Texas (864189) | more than 4 years ago | (#31502300)

Seems like 7 zip didn't support RAR decoding at the time.
Does it do so natively now?

It's a matter of reputation (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31502114)

Among crackers, reputation is very important.

These people spend their time and effort and money to crack the protection on an application/game/movie and get it out to the world. They don't do it for profit. They do it to become known as the person/group that did it first or best. They frequently sign their work, and will go to great lengths to maintain their reputation.

A bad release, or one with a virus/trojan will quickly gather notice on torrent forums. It would be a one way ticket to expulsion from any release group. It can take years to become accepted into a major release group, its not something taken lightly.

Re:Wasted time (2, Interesting)

The MAZZTer (911996) | more than 4 years ago | (#31502172)

Except that when a torrent is bad usually a person will not reseed it. Though it is possible to "fake" seeds generally I've found a high number of seeds from a tracker you trust is a good sign.

Uhhhh what do I torrent? Linux DVD ISOs, duh!

Re:Wasted time (0)

Anonymous Coward | more than 4 years ago | (#31502514)

So I shouldn't download an entire OS via torrents?

Guess I'll ditch Linux then.

Re:Wasted time (0)

twidarkling (1537077) | more than 4 years ago | (#31501896)

What dosen't make sense are the people who bitch and moan about what a hassle Linux is to set up and get figured out, while they waste hours and hours of their time and money cleaning out their Windows installs, setting up anti-malware programs that waste even more time in the form of annoying pop-up reminders and eaten CPU cycles, and even reinstalling their O.S.;

I'd make a smarmy "Can you speak louder joke" like Pak there, but all I've got is deafening silence. Ya see, there's no way to make my soundcard work in *nix, from what I, and my friend who damn well *lives* in *nix can find. And we spent hours. I eventually had to use the shitty on-board sound.

As for wasting hours and hours, and money, I use MSE, took about 5 minutes to download and install, and Spy-bot, which also took about 5 minutes to download and install. MSE updates itself, and Spy-bot probably could, though I'm comfortable with just manually downloading the updates, which takes about 35 seconds. Scans run overnight.

So, I suppose, over my entire life, it might qualify as hours, plural. In fact, I wasted MORE time trying to get my sound card to work than I have with anti-virus/mal-ware programs.

Oh, and I ran without *any* protection for over a year, including doing torrents, and a monthly scan didn't pick up *anything.* Ever. So there's that for your "Windows can be used safely and quickly without protection, but only by savvy users who don't do any "real-world" stuff like torrent or allow the occasional ingorant user to use their computer."

Re:Wasted time (3, Interesting)

Gordonjcp (186804) | more than 4 years ago | (#31502016)

Ya see, there's no way to make my soundcard work in *nix, from what I, and my friend who damn well *lives* in *nix can find.

You don't say what kind of card it is, I notice...

There's no way to make my sound card work in Windows. Well, I could download a couple of gigabytes of Windows updates and a driver, and then download a couple of gigabytes of software updates, and eventually I'd have two of the ten channels working. Or, I could just use Linux, where my Delta 1010LT is supported perfectly.

Re:Wasted time (4, Interesting)

Sancho (17056) | more than 4 years ago | (#31502112)

Personally, I buy things with the intent of running Linux on them. That means I have to take more care in researching before purchase, but in the end, it makes so many things so much easier.

I never have to hunt down drivers. 99% of my software comes from one place, and the updates are handled automatically. Frankly, when you buy the right hardware, everything just works far better than Windows.

Re:Wasted time (0)

Anonymous Coward | more than 4 years ago | (#31502318)

Amen to this. The ease of using linux on good hardware is unbeatable.

I'm a linux veteran with good kernel developer connections so I know I could probably get even crappy hardware to work eventually... I've just become lazy growing older (and don't want to reward HW manufacturers that do not support linux) so I just buy known good hardware.

Re:Wasted time (0)

Anonymous Coward | more than 4 years ago | (#31502390)

Unless you use Debian and DebianLegal decides after a long debate thats its not DFSG and promptly removes the driver. :(

Re:Wasted time (1)

twidarkling (1537077) | more than 4 years ago | (#31502210)

Soundblaster. It's not like it's some obscure no-name brand. The thing's plug-and-play in Windows. There was even an official driver package from Creative Labs. That didn't work. All the ASLA guides on the 'net couldn't make it work. We even tried the alternate open source driver package, and that worked even less.

And exaggerating doesn't help your position. There aren't "gigabytes" of updates out for Windows 7. Maybe after SP1 hits, you might be right. And "gigabytes" of software updates? What the fuck? Again, bullshit. I can't believe someone modded you interesting when you're obviously full of shit. Troooooooooolllllllllll.

Re:Wasted time (1)

phantomcircuit (938963) | more than 4 years ago | (#31502384)

Windows XP took up about 2 GB total install. Now after SP3 it's about 13GB. So roughly 11GB in updates total.

Re:Wasted time (0)

Anonymous Coward | more than 4 years ago | (#31502400)

"There aren't "gigabytes" of updates out for Windows 7."

He never said Windows 7.

Re:Wasted time (0)

Anonymous Coward | more than 4 years ago | (#31502426)

All the ASLA guides on the 'net couldn't make it work.

You see, the real problem is that you've been reading guides for the wrong sound architecture all this time...

Re:Wasted time (1)

istartedi (132515) | more than 4 years ago | (#31502368)

You almost certainly googled around for information on your sound card before purchasing it. That's the real solution, regardless of OS.

Re:Wasted time (0)

Anonymous Coward | more than 4 years ago | (#31502490)

SoundBlaster is a name brand though; It isn't like he picked up some obscure variant of the Crystal Labs audio codec that does silly shit with the PCI bridge in order to do it's thing. (Believe it or not, there ARE AC'97 flavored PCI devices. Bizzare, stupid, and horrible-- but they do exist.)

What the parent might consider doing is enabling the sblast driver. Most creative Labs cards offer legacy emulation, so at least he would get to hear SOMETHING, even if 99% of the other features of the audio card (multiple channels, special environmental mixing, etc..) would be unavailable.

Some functionality is better than no functionality.

Re:Wasted time (0)

Anonymous Coward | more than 4 years ago | (#31502448)

Is it really that difficult to get your sound card working in Windows? Gigabytes of updates? And what version of Windows are you actually trying this on? You don't say what version of Windows it is, I notice...

If you are using a version of Windows that was actually released in the past 3-4 years, then only having 2 channels working is most likely the fault of your sound card manufacturer.

Re:Wasted time (1)

musicalmicah (1532521) | more than 4 years ago | (#31502550)

Or, I could just use Linux, where my Delta 1010LT is supported perfectly

Hey! I have that card too! Can you do low-latency multi-track recording with it in Linux? If so, what software do you use? Audacity?

Re:Wasted time (1)

D Ninja (825055) | more than 4 years ago | (#31502462)

The fact is that Linux, now, is much less of a hassle than Windows.

I don't know when the last time you used a recent version of Windows, but this mantra is pretty old and worn out. (And, yes, I run Linux as well, which I do enjoy using.) Windows has been continually improving and is actually enjoyable to use (I particularly am a fan of Windows 7). Is it a problem when individuals click "Yes" to everything - absolutely! Is it a problem that IE is full of security holes - yes! But, with the right browser (AKA, not IE), half the issues are solved with Windows and it is very easy to setup and just use. Some distros of Linux are getting to or are at that point (Ubuntu does a great job) but Windows cannot be blown off as the "n00b OS."

Additionally, as you pointed out in your own post, "Is any home OS really safe..." - the answer is obviously "No." The weakest link is the users. And, whether it is in Linux or Windows, users continue to be the weakest security link.

Re:Wasted time (1)

mhajicek (1582795) | more than 4 years ago | (#31502468)

The evil you know...

Yeah (1, Insightful)

Capt.DrumkenBum (1173011) | more than 4 years ago | (#31501752)

I have a simpler conclusion... Most users are idiots!

Re:Yeah (5, Insightful)

MichaelSmith (789609) | more than 4 years ago | (#31501800)

I have a simpler conclusion... Most users are idiots!

Even simpler: most people are idiots.

Re:Yeah (2, Funny)

sakdoctor (1087155) | more than 4 years ago | (#31501948)

I conclude that most idiots are people.

Re:Yeah (1)

gestalt_n_pepper (991155) | more than 4 years ago | (#31502068)

That's stretching it. Are senators "people?" What about representatives? Or Wall Street bankers? Or economists?

Re:Yeah (1)

dan828 (753380) | more than 4 years ago | (#31502504)

Senators people? Frankly, I don't think Nancy Pelosi is even from this galaxy.

Re:Yeah (2, Insightful)

Anonymous Coward | more than 4 years ago | (#31501998)

Even simpler: most people are idiots.

Yeah, that's a *simple* conclusion, that is.

You know, every single person I have ever heard say "most people are idiots" has never been all that high a wattage bulb themselves. Maybe they were book smart in one or two areas, but get outside their intellectual comfort zone, and forget it. This seems especially true of computer geeks.

Re:Yeah (0)

Anonymous Coward | more than 4 years ago | (#31502354)

But you're one of the few exceptions. That "one in a million", right?

Re:Yeah (1)

Locke2005 (849178) | more than 4 years ago | (#31502418)

It's worse than that... half the people out there are of below average intelligence! (For the pedantic, yes, they are actually of below mean intelligence, but that doesn't have the same ring to it.)

"Most People" (1)

drumcat (1659893) | more than 4 years ago | (#31502480)

Hey, technogeek, "most people" are the people you're supposed to work with. You guys get all bent when Apple is 'draconian', and yet you come to conclusions about average users. It's not that at all. It doesn't matter what OS you're talking about. When is the last time you tried to update your security? OK, go have someone at least 60 years old do it for you, and all you can do is talk without seeing the screen. See how long THAT takes. The more difficult security is to deal with, the less often it is used, and that's not just computers. That's EVERYTHING security. I would make the case that it is more important to get the security updating as seamless and silent as possible.

Re:Yeah (1)

Monkeedude1212 (1560403) | more than 4 years ago | (#31501918)

Let me get this straight, Its either

A) users will only do the minimum required.
B) users consider security measures to be a pain.
C) user education is not working.
or D)based entirely on the economics of the process

And NONE of those overlap?

I think this arguement is moot, everyone seems to be shouting the same thing.

Interesting (5, Insightful)

Anonymous Coward | more than 4 years ago | (#31501822)

I agree with this assesment. I work at an IT company that supports many different companies and users of different size. We are a small operation (10 techs).

Most security recommendations are rejected due to the cost of implementation when dealing with corporate customers. Smaller businesses and individual users will reject them due to the lack of perceived risk.

Simple example is when a salon did not want to spend the 30 minutes in labor secure their wireless network because guests use it. We said no problem and offered to setup a guest network and secure their internal wireless network. No problems with their Cisco SA. They still did not want to do it. Their reasoning was not the $50 one time cost but, "who would want to go to the trouble of accessing our data? we have nothing sensitive"

They realized their customer databases were password protected within that application, understood they had nothing on their workstations or shares to hide, and basically said fuck it when we were offering a low cost, non-invasive, transparent to their customers solution.

That's just one example. Lots of these "dumb endusers" fully understand the security and the solution and the cost, but feel they are not a valuable enough target to worry about it.

Re:Interesting (3, Insightful)

jemtallon (1125407) | more than 4 years ago | (#31502080)

The article suggests it's time for a radical shift in how we make security recommendations based on cost-benefit analysis, rather than just reporting each possible attack and recommending to fix it. The argument is that when you flood users with too many recommendations, they begin to reject any security recommendations that cost they too much time, hastle, or resources. The more warnings you throw at them, the more accustomed they become to rejecting them and eventually they get a mentality where they deny all recommendations and wait for an attack to happen, then learn their lesson for that one attack only.

In this case, the cost was $50 up front but the indirect cost would be needing to learn how to add new devices to the secured wireless, store yet another password somewhere, possibly change the password as problems occurred: all of which would likely lead to having network outages and having your team come back to fix it when it breaks. The benefit in their mind was that someone in the parking lot couldn't check their facebook. So instead they leave it open and run a small risk of viruses from people sharing the connection, an even smaller risk of their Internet connection being used for illegal activity, and an even smaller risk of being attacked for their data. It isn't that they're dumb, it's that the security industry hasn't given them enough return for their investment. Most business users I've ever known are used to making snap judgements on worth/value. They know they don't have to be perfect, just slightly better than their competition and they're always asking themselves if the company next door went to "all this trouble." They're just applying that same logic to the security industry. If we made it less costly, they'd buy in because it'd be an easy way to get ahead of their competitors. For a little while.

Re:Interesting (1)

betterunixthanunix (980855) | more than 4 years ago | (#31502118)

"Lots of these "dumb endusers" fully understand the security and the solution and the cost,"

Not my experience, not by a long shot. Most people do not care enough about security to learn about it. For example, advising users to actually read warnings about SSL -- after 5 words, they are bored and go back to ignoring SSL warnings (and in some cases, falling victim to MITM attacks). We are not talking about costly solutions here, just basic, unintrusive guidelines that people are ignoring.

Re:Interesting (5, Insightful)

AuMatar (183847) | more than 4 years ago | (#31502324)

And 99% of the time they're right to ignore it. Its quite simple- unless a site is getting my financial info, what do they have to lose? Nothing, unless they're stupid enough to use the same password as their email. And thats a rule you can get many of them to follow.

I'm a computer programmer, and except when I'm coding I've stopped giving a shit. I use the same default password everywhere except email and finance places, because I don't care. Oh no, you can now edit my slashdot and video game forum accounts. How can I live? I don't download files from untrusted sources, so I don't bother with antivirus. I don't bother with updates because they break stuff more often than I see any benefit to it. If I actually started dealing with all that shit it would take serious effort. It's just not worth it.

You can get 99% of the benefits with 5% of the effort- don't use the same password on your email as anything else, don't use the same password on finance stuff and anything else, don't download anything you aren't 100% about, don't trust any links in email. That's all you need to do.

Re:Interesting (2, Insightful)

slimjim8094 (941042) | more than 4 years ago | (#31502170)

But in that instance they're just being dumb. All it takes is one malicious kid, who likes credit card numbers, waiting for a haircut and firing up nmap and pull down the customer DB, or fire up Metasploit.

They feel they're not a valuable enough target, but are they right? Maybe - it's hard to say for sure. But what's the cost of being wrong? For a smallish salon, almost definitely enough to put them entirely out of business.

And the cost being $50? They're simply being stupid. None of this bullshit "analyzing the economic realities and making the logical choice", just stupid.

Fact of the matter is, all this stuff only needs to happen once - especially for a small business. No security can prevent a super-hacker-paratrooper team from taking everything, but it can improve a once-in-5-years odd from some kid, to a once-in-1000-years odd.

Some security *is* ridiculous. But most of it isn't. You provide a great anecdote but I suspect it's fairly common.

Security people are a bit like doctors. It's not really up to the patient to tell the doctor how to do their job, in most cases. Witness the whole autism-vaccine BS. In both professions, the customer can override the professional advice, but it's not a good idea.

Carrying the analogy a bit further: Reasonable security is a bit like a prostate exam. It's easy and straightforward, a little unpleasant, and entirely unnecessary until it saves your life. Is it rational to forgo a prostate exam because "why would I need a prostate exam? I don't have cancer"

Re:Interesting (-1, Flamebait)

BobMcD (601576) | more than 4 years ago | (#31502498)

They feel they're not a valuable enough target, but are they right? Maybe - it's hard to say for sure. But what's the cost of being wrong? For a smallish salon, almost definitely enough to put them entirely out of business.

How the heck do you figure that? My bank, MY GODDAMN BANK, got hacked and lost thousands of MasterCard numbers to the web. They issued new cards and sent a letter reminding everyone how they weren't liable for debit transactions made on stolen numbers.

This falls under the advice of TFA, you need to back up your claims with real data.

Security people are a bit like doctors. It's not really up to the patient to tell the doctor how to do their job, in most cases.

Amen. Security people are like doctors - charging way too much for things people can mostly do for themselves. "That's a virus, go home and wait it out: $125, please." And it is absolutely the patient's job to manage their own care and control their own costs.

Your opinion is EXACTLY what's wrong with healthcare today.

Witness the whole autism-vaccine BS.

My six year old son is autistic. You have no idea what you're saying. You have no idea what causes autism and have no idea how desperate a parent is for answers, solutions, or even a little respite care. I'd rather my son get measles than continue to have autism, and you are absolutely not qualified to opine on his quality of life with zero education or information on this matter. If you want to know more, you can ask for it, but the level of ignorance you're displaying is repugnant, you insensitive clod.

In both professions, the customer can override the professional advice, but it's not a good idea.

Carrying the analogy a bit further: Reasonable security is a bit like a prostate exam. It's easy and straightforward, a little unpleasant, and entirely unnecessary until it saves your life. Is it rational to forgo a prostate exam because "why would I need a prostate exam? I don't have cancer"

That's a good example. Please look up the recent study as to how breast cancer exams are costing billions of unnecessary dollars annually. It was determined that the costs for all the exams outweigh the costs of treating the disease in nearly all cases. Look it up.

Re:Interesting (1)

mikael_j (106439) | more than 4 years ago | (#31502180)

I think you're wrong, most of them don't fully understand the issues, they just think "me not big rich company with lots of sooper secrit datas, me no waste money on intarwebs man" (yeah, I'm an ass) even though they may very well have good reason to avoid getting themselves hijacked by some random bot or kid (Just because you don't have millions in the bank doesn't mean you're not interesting to a criminal or that it wont hurt for you if all your money disappears, or how about "oh, and what's this $200k loan? I don't remember taking out another OH SHIT!"?)

It's the same kind of reasoning that people use when they choose not to wear a seatbelt when driving, but while most drivers don't know the odds of getting in a crash most computer users don't even know what the risks are (it would be like a driver being only vaguely aware of "bad things" possibly happening if he doesn't drive safely and doesn't wear a seatbelt), I've seen way too many machines that had bots known for stealing banking info on them where the owner of the machine just handwaved away my concerns with some "oh well, nothing bad has happened so far and it's not like anyone would bother stealing from me..." spiel. My response in those cases is to point out that as a friend I will help them fix their problem now but if they decline I will hang up if they call me in the future with any kind of computer problem.

Re:Interesting (1)

thegrassyknowl (762218) | more than 4 years ago | (#31502346)

"who would want to go to the trouble of accessing our data? we have nothing sensitive"

Every computer has something sensitive on it or passing through it. The user probably accesses his Internet banking accounts from it, or his webmail. What really pissed me off when trying to convince users to do things more securely was that even after telling them that the bad guy doesn't care who they are because in many cases the bad guy is just a computer program that goes looking for low hanging fruit, they still used that same argument.

There is no helping some people. Security warnings are a pain for these people. They don't even read SSL certificate errors on their banking sites. They just keep clicking let me in let me in and submit their login details.

I've argued until I was blue in the face with people (with a title) more senior than me who simply refused to take 20 minutes per server they deployed to do basic tasks like ensure nothing was exposed to the Internet that didn't need to be and installing basic intrusion detection and having the logs sent to a remote secure log server. These same "senior IT experts" used the same argument as the poor clueless user. I've actually watched one of these 'experts' expose database ports to the greater Internet with no protection and not even change the default admin password that the distro set. Then the moron spends days wondering why his database was constantly being emptied out. When I pointed to the logs which clearly showed all the delete commands coming from an IP address with no place accessing our database he had the gall to tell me I was a liar and that nobody would want to do that to us because we were too small to care about.

If the so-called senior experts are spouting this argument to the users then how will the user ever learn?

The problem in the industry: there's a lot of people with little or no clue who installed Windows once or twice and are now out there providing "IT support and services". It's the blind leading the blind. The user doesn't want to go to the effort of being secure because it takes time and requires thinking. When some dickhead comes in and tells them that they aren't an important target and needn't to worry the user takes the easy path out. User education would work better if the message was clear and consistent.

As you can tell I hate these fly by night morons who think they are experts. I've worked with my fair share in the past and nothing shits me more than having to go in and clean up their mess; because it's usually something that was easily prevented and I shouldn't have to be wasting my time on.

I've also completely ignored the social aspect of the user which is that they assume that most everyone else is good and there are very few people out to get them. That's a hard one to get around, but usually explaining that one bad person with a computer can easily attack hundreds of people soon sorts that out. A bit of good old fashioned paranoia is useful in computer security.

It's a fundamental human value calculation: (4, Insightful)

idontgno (624372) | more than 4 years ago | (#31501834)

prevention is more expensive than repair/recovery/treatment

How? Any prevention effort requires some kind of cost, very often a continual and on-going cost.

Whereas the cost of recovery is only necessary once the negative effect occurs. And since it only happens to other people, that means that the cost of not preventing is 0. Clear win.

Which explains a lot of epidemiology (low vaccination rates, high-risk behaviors spreading unstoppable diseases, etc.); economics (victims of fraud, high-risk investors, etc.); software development practices ("Release NOW" rather than quality).

Unless you can prove that the bad thing WILL happen without prevention, people will skate on luck and denial and write off the risk against the guaranteed cost of preventative measures.

Or, as others in this thread have put it, people are idiots.

Bad summary (1)

guspasho (941623) | more than 4 years ago | (#31501836)

Of course it's economics. That's what every cost/benefit analysis is. Economics is just another word for the other "researcher's ideas", not any kind of challenge or refutation of them.

Are there no remarkable findings in the linked article worth reporting? Sure sounds like it to me.

This is not a "new" interpretation (5, Insightful)

frinkster (149158) | more than 4 years ago | (#31501838)

I can still remember the Computer Security professor telling the class on the very first day that computer security is a matter of economics. How much does it cost to implement? How much do you stand to lose if your security is broken and your "stuff" stolen? At some point, you reach a point of diminishing returns and it is wasteful to spend more on security.

And in this context, time, effort, and inconvenience all have a significant cost that must be counted.

The average idiot computer user is not always as dumb as you think they are.

Re:This is not a "new" interpretation (-1, Flamebait)

$RANDOMLUSER (804576) | more than 4 years ago | (#31501954)

Yes. Yes they are.

Re:This is not a "new" interpretation (0, Troll)

luckyXIII (698285) | more than 4 years ago | (#31502026)

Not always. Sometimes they're dumber than you think they are.

Re:This is not a "new" interpretation (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31502034)

They're dumber.

Re:This is not a "new" interpretation (4, Insightful)

fuzzyfuzzyfungus (1223518) | more than 4 years ago | (#31502134)

There are complications, though. Humans are, by the standards of mostly bipedal hunter/gatherer savannah dwelling apes, actually pretty decent at playing "rational actor"; but that isn't the same as being one. Even simple things like the fact that "90% chance of success" can elicit a different emotional response than "10% chance of failure" come down to limited rationality, and the picture isn't all that much prettier elsewhere.

One big one, particularly for home users, is inaccurate discounting of costs that are either in the future, uncertain, or both. An $80 external HDD can substantially reduce your risk of losing files to disk failure. A shockingly small number of people, even people with actual money, who have data that are valuable or at least sentimental. The risks just aren't in their face; but the price tag is, so they don't do it.

The other thing, again most likely an artefact of inherited historical limitations to human cognition, is the difficulty that people have understanding the implications of automation for their likelyhood of being attacked. To the degree that joe user has a threat model at all, it tends to be the classic man-is-a-social-animal naive theory that a person is attacking, or might be attacking him. He then shrugs, and says "I couldn't possibly be worth the effort." and does nothing. If cracking PCs was something done one-by-one, with manual labor, furiously typing to guess the passwords and break through the code walls just like in the movies, he'd be completely correct. However, since the vast majority of online attacks are largely automated, the naive threat model is bunk(for physical attacks, the naive model is probably mostly correct. Planting trojans on unattended laptops in public is almost as risky, and far less lucrative, than simply stealing them. Jealous spouses, asshole roomates, fucked-up middle school social dynamics and the like, though, provide ample motive for the sorts of attacks performed with physical access on home machines).

Re:This is not a "new" interpretation (1)

CorporateSuit (1319461) | more than 4 years ago | (#31502568)

Humans are, by the standards of mostly bipedal hunter/gatherer savannah dwelling apes

I think you should speak for yourself!

Re:This is not a "new" interpretation (0)

Anonymous Coward | more than 4 years ago | (#31502478)

At some point, you reach a point of diminishing returns and it is wasteful to spend more on security

And by "spend more", you mean install fewer screensavers. 99% of the time, security is something that you go to extra trouble to take away from a system, it's not something you spend money to add.

Users just don't care, because it dosn't cost them (4, Insightful)

maillemaker (924053) | more than 4 years ago | (#31501874)

As I said before, most users don't care because there are usually no consequences to ignoring security directives.

Most users figure that security is the corporation's problem. They just figure that whatever they do will be protected "by the firewall" and they go on with life. It's not their problem if things go wrong.

No Economic Incentive? (5, Insightful)

jjoelc (1589361) | more than 4 years ago | (#31501894)

How about this one... At least in businesses...

Users in a business generally have very little if any incentive to follow any security policy that does not happen automatically, without any intervention on their part.

It is not their data, not their computer, and generally not their problem. If something goes wrong... they might have to move to another desk for a little while, while "the computer guy" "fixes" everything for them. They might even get a slap on the wrist for not following policy... But generally, the "users" have no reason to interrupt their busy day with any security policy that interrupts their busy schedule (of facebook and slashdot browsing). When malware hits, it is inevitably not their fault, but rather the fault of those same "computer guys" who have to go in and fix it.

Ain't reality a bitch?

Some security measures don't seem practical. (5, Interesting)

Richard Steiner (1585) | more than 4 years ago | (#31501900)

I have to remember something like 70 passwords as a multiplatform software developer, and some of those hosts have passwords which expire every 30 days, can't repeat for at least a dozen iterations, and must contain at least one numeric, at least one upper-case and one lower-case alpha, and at least one non-alphanumeric symbol.

I understand the reasoning, and if it was only a handful of boxes .. or rarely used boxes ... I would understand, but I'm logging into 25 or 30 of these machines or applications on a daily basis.

I can use a password manager like Keepass, and it's okay, but I can see how some folks would resort to other means, try to use password patterns, etc.

Re:Some security measures don't seem practical. (1)

Locke2005 (849178) | more than 4 years ago | (#31502428)

Just do what I do... write all the passwords down on a post-it note, and stick it on your monitor! ;-)

the real reason (1, Funny)

Anonymous Coward | more than 4 years ago | (#31501906)

People reject security advice because everybody knows at least one poor sucker that is tech-savvy and can fix there FUBAR system. That person may do it grudgingly, may b*tch the entire time, but they'll still do it. Not only that, they'll do it for free. Sound familiar?

Re:the real reason (1)

jemtallon (1125407) | more than 4 years ago | (#31502162)

Agreed. We should all collectively agree to start claiming we need to be naked while repairing computers to avoid static build-up. That's why it really should go to a shop: they have special rooms for that.

This exists in every facet of life (1)

Meshach (578918) | more than 4 years ago | (#31501914)

The recent story from Canada about the group of snow mobile riders who triggered an avalanche that killed a few of them [theglobeandmail.com] . The risk was obvious. Environment Canada had issued an avalanche risk warning. But the guys went out anyways.

Some people will always not do the right thing. No matter how obvious it may be.

Some security advice is not rational (4, Insightful)

Chemisor (97276) | more than 4 years ago | (#31501934)

People giving security advice often have no idea what the threat model is. For example, the typical home user's computer has no chance of being physically attacked. Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers. Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.

Seriously, there is only one kind of threat the home user faces, and that's software attacks, none of which are aimed specifically at him, and all of which are acquired either through his web browser or through infected executables given to him by his friends. If he runs NoScript, disables javascript in email, and gets executables only from reputable sources, there is simply no way he can get infected. If he's on Linux, he's safer than he's ever going to be already.

Re:Some security advice is not rational (3, Informative)

molo (94384) | more than 4 years ago | (#31502046)

Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers.

Right. Good thing there's no such thing as a software keylogger [google.com] .

-molo

Re:Some security advice is not rational (4, Insightful)

IamTheRealMike (537420) | more than 4 years ago | (#31502084)

Onscreen keyboards are good for avoiding generic keylogging viruses. Keylogging and looking for passwords isn't too hard (especially if you can look for email address + tab + word with no spaces in + enter) but defeating an onscreen keyboard means either writing a program to search specifically for that implementation or recording/compressing/uploading/watching full videos of all screen activity which is way too heavy.

Of course two-factor transaction signing is even better ....

Re:Some security advice is not rational (0)

Anonymous Coward | more than 4 years ago | (#31502126)

For "extra security", my bank required the use of one of these pop-up on-screen keyboards, but it only ran on Internet Explorer, which seemed a much greater security threat.

Re:Some security advice is not rational (1)

Sancho (17056) | more than 4 years ago | (#31502288)

For example, the typical home user's computer has no chance of being physically attacked.

Those on-screen keyboards were there to thwart software key loggers. And then they were defeated by malware taking screenshots every second (or more frequently) to get the password that way.

Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.

That's not entirely true, either. Never have houseguests? I do frequently, and I may not want them snooping around on my computer (this is the digital equivalent of a guest rooting through your medicine cabinet.) What if the computer is stolen? Maybe you'll be glad that you encrypted the disk, then.

It's all about trade-offs. If the security is highly transparent (how long does it take to log in?) then why not do it?

Trust=f(time) Some security advice is not rational (0)

Anonymous Coward | more than 4 years ago | (#31502356)

Likewise, there's no real security reason to password protect your account on your home computer that nobody but you uses, and no security reason to not use autologin.

Almost, no quite. I maintain a 'guest' profile when I have company so they can use the computer without messing up my profile. I like my configuration the way it is. As well, auto-login really only makes sense on a single user computer. For any system that is truly multi-user, you want to hit the user selection screen at startup, otherwise you have to wait for logging out/task switching before you can login. (my wife and I both bounce between computers)

Lastly, even in Linux having an actual password is important as it's what prevents apps from self installing. Yes there's the negative of getting people used to typing in their password with every damn update, but that's better than allowing things to completely self install.

This of course, gets back into the economics of the whole thing. What is the real likely-hood of someone penetrating the ubuntu repositories and turning the world's ubuntu installs into a botnet with a kernel update?

How about this, instead of worrying about automatically getting the latest and greatest updates right away but still needing to enter your password: only grab updates that are older than 'X' but they'll auto-install? There could very well be more value in having the downstream computers ignore any updates that are less than a week or two old. This gives the repository monitors time to discover anything fishy. For a computer to download the update, it would have to look at see the update on the server (ie: download it but not install), get the md5/sha hash and compare it with the server. Wait a week and do it again. If that specific update hasn't changed, go ahead with the install from what is already downloaded.
If the user is really sure they want the update, they can password prove for it and force the install, but this provides a relatively trustworthy mechanism of verifying and automating updates without harassing the user.

One could expand this to have updates get rated with feedback from the users. Most installs will go fine, but occasionally something gets borked. Users could optionally feedback on updates, so those updating afterwards can set a 'success rate' value to not install updates that have more than 'X' problems reported. This part can be gamed, unless you build trust into the feedback mechanism. Each install auto-generates a gpg certificate. Each 'complaint' gets rated by how many successful (signed) update reports have been submitted by the same key in the past.

Ultimately and security infrastructure depends on trust, and trust is a function of time and abuse.

Microsoft Researcher using TeX. (4, Interesting)

Jason Earl (1894) | more than 4 years ago | (#31501950)

They aren't kidding when they say that Microsoft Research is autonomous. I would have assumed that Microsoft would at least make its researchers use MS Word.

Re:Microsoft Researcher using TeX. (1, Insightful)

Anonymous Coward | more than 4 years ago | (#31502054)

Most people would use MS Word even if they had the choice to use TeX.

Re:Microsoft Researcher using TeX. (0)

Anonymous Coward | more than 4 years ago | (#31502310)

Lots of MS research staff are hired from academia; those eggheads love them some TeX (in my experience).

Simple (final) solution: (0)

Anonymous Coward | more than 4 years ago | (#31501976)

A simple solution: some enterprising grey-hats just need to put together a sufficiently malicious exploit. Maybe users would pay attention to security if they had to worry that the "M3ga K3wl Cod3c Pakzor" they just downloaded was going to email all their contacts, Facebook friends and LinkedIn contacts a link to nimp.org whilst deleting all their files and emptying their bank accounts.

By the same token, the dick pill spam could be stopped overnight by a small group collecting "orders" and mailing out poison. After a dozen or so deaths, one would presume that *most* people would be concerned about buying drugs from spam.

In both cases, anyone who *still* ignores common sense deserves what they get - thin the herd a little, ya know?

Re:Simple (final) solution: (1)

Quiet_Desperation (858215) | more than 4 years ago | (#31502048)

By the same token, the dick pill spam could be stopped overnight by a small group collecting "orders" and mailing out poison. After a dozen or so deaths, one would presume that *most* people would be concerned about buying drugs from spam.

Welcome to Slashdot where the solution to lax user security is random terrorism and murder! Aren't they great, folks? Goodnight everyone! Drive safely!

Re:Simple (final) solution: (0)

Anonymous Coward | more than 4 years ago | (#31502116)

Did you read the post you're quoting? Terrorism and murder are the solution to SPAM!

Although, a good LARTing certainly provides a compelling reason for lusers to put up with the negative externalities mentioned in the paper. :)

Simple answer (-1, Troll)

Anonymous Coward | more than 4 years ago | (#31501994)

"Experts" in so many fields have lied to normal people so often nobody believes anybody who calls themself an expert anymore.

Look at the global warming scientists who lied to us, look at the large hardon collider scientists who lied to us, look at the autism doctors who lied to us. Is it any wonder why nobody believes "experts" anymore? Doesn't take an expert to tell you why!

good advice versus bad advice; costs to others (5, Interesting)

bcrowell (177657) | more than 4 years ago | (#31502030)

The paper is not entirely unreasonable. However, there are at least some holes in it.

It lumps good and bad security advice together. The economic benefit of following bad security advice (e.g., buying antivirus software) is zero or negative, so of course anybody would be rational to ignore such advice. That doesn't mean it should be lumped together with *good* security advice. They're hypothesizing that people are acting like the idealized economic free agents beloved of economists: people with perfect information, acting rationally. Under this hypothesis, people would have perfect information about which security advice is good and which is bad.

The article doesn't talk about costs to others. People who get their computers owned by a botnet aren't only suffering economic harm themselves, they're inflicting harm on other people. On p. 5 Herley talks about how Wells Fargo limits customers' liability to $50 if they're victims of fraud. That doesn't mean *nobody* pays the cost of the fraud. We all pay those costs, indirectly.

Another problem is that in many cases Herley relies on back-of-the-envelope estimates of the damage caused by security failures. E.g., on p. 2 he estimates the economic costs of a particular exploit. But these estimates aren't based on any actual data. That particular calculation is also kind of stupid, because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?) protecting against a particular exploit. What his analysis ignores is that there may be hundreds of such exploits out there, and that anything you do that protects against one exploit (e.g., not using a dictionary word as your password) will also help to protect you against all the others. And forgive me if I'm a little skeptical of low-ball estimates originating from MS of the economic damage of computer security failures. That's like trusting GM to estimate the economic effects of global warming.

Security and Shared Risk (0)

Anonymous Coward | more than 4 years ago | (#31502252)

That $50 liability per customer represents a shared-risk pool, i.e. insurance. In the US, we also have the FDIC insurance. As a bank customer, I welcome that insurance over putting money in a mattress.

Re:good advice versus bad advice; costs to others (0)

Anonymous Coward | more than 4 years ago | (#31502466)

"because he says that a user shouldn't spend more than "0.98 seconds" (doesn't he understand significant figures?)"

Ah hah, clearly you don't understand that 2 significant figures are obviously more accurate than 1!

Writing this took me approximately 10.7741 seconds.

Simple Risk Matrix (1)

stewbacca (1033764) | more than 4 years ago | (#31502066)

What is the probability my password will be hacked (low/medium/high)

What is the impact if my password is hacked (none/moderate/severe)

If I have low probability of being compromised, and the outcome is moderate, than that is a low risk. If I have a high chance of being compromised and the impact is severe, that is a high risk.

The problem with these sort of articles is not determining why people don't care about security, it's failing to take into account that a "low" risk rating on this matrix isn't worth the costs associated with protecting a system set up to prevent the "high" risk scenario I described.

The Boss speaks (0)

Anonymous Coward | more than 4 years ago | (#31502086)

We know you work on the basis of economics Tom, so, because of this breech you've caused we'll be docking your pay for the next, ahhhh, 376,042 pay cycles. thanks, you may go.

Want security? Buy a Mac (1, Troll)

WillAffleckUW (858324) | more than 4 years ago | (#31502100)

Want security? Buy a Mac.

Want s/w that breaks? Buy Windows.

Want to roll your own and get every ounce of power out - use a Linux distro.

At one point I was the acting security officer for Pacific Region. If people can subvert security they will.

Not much has changed in the security sphere for a long time, and difficult security just begs to be subverted.

Re:Want security? Buy a Mac (1)

arndawg (1468629) | more than 4 years ago | (#31502376)

Want security? Use linux or bsd.

Want s/w that breaks? Fiddle with linux or bsd.

Want to roll your own and get every ounce of power out - use a Linux distro or a bsd.

Fixed. Mac for security? Really?

Re:Want security? Buy a Mac (2, Funny)

WillAffleckUW (858324) | more than 4 years ago | (#31502458)

A Mac is basically BSD.

I stand by my original post.

Re:Want security? Buy a Mac (1)

arndawg (1468629) | more than 4 years ago | (#31502528)

Sure. Windows is bsd as well, since it uses the same network stack. Do mac have PaX yet? Mac is SAFE. Not secure. There is a difference.

And it's often NOT worth it. (1)

gestalt_n_pepper (991155) | more than 4 years ago | (#31502110)

Am I going to spend a lot of time on a 7 year old's game PC protecting it from being added to the botnet army of darkness on its latest evil crusade for human souls? Frankly, why the hell would I care?

Re:And it's often NOT worth it. (1)

Narcocide (102829) | more than 4 years ago | (#31502186)

Because once it has spread to one node on your home network the rest of your weak-ass windows boxes and all your credit card info soon will belong to said botnet army.

Re:And it's often NOT worth it. (0)

Anonymous Coward | more than 4 years ago | (#31502330)

How about YOUR 7 year old's on YOUR home network?

Re:And it's often NOT worth it. (1)

PitaBred (632671) | more than 4 years ago | (#31502406)

Because his compromised computer's bandwidth usage and infection compromises the security of the rest of the computers on the network as well as affecting their quality of service?

6. Change often (4, Interesting)

hrimhari (1241292) | more than 4 years ago | (#31502196)

TFA:

Rule 6 will help only if the attacker waits weeks before
exploiting the password. So this amplies the burden
for little gain. Only if it is changed between the time of
the compromise and the time of the attempted exploit
does Rule 6 help.

IANASE, but last time I checked this rule meant to make it difficult for attackers to have time to brute-force-guessing the password and profit from it. It had nothing to do with the attacker discovering the password then waiting quietly until nobody's looking to profit from it.

In theory, if you change your password often enough before the brute-force being complete, the attacker would have to start all over again.

That said, it's an extremelly difficult rule to enforce/comply, unless you have a wonderful "I forgot my password" system.

It's obvious (4, Insightful)

vakuona (788200) | more than 4 years ago | (#31502202)

It's obvious that most computer security practices are the equivalent of cracking the metaphorical nut with a sledgehammer. My personal pet hate is the password aging practice. It specifically does one of two things. It discourages people from choosing strong passwords because strong passwords are more difficult to create and remember than weak ones. The second is that users may resort to writing passwords down because some expert decided they needed to change their password every 30 days. And often you get thet password change prompt right when you are about to go on a long holiday, which guarantees that you will not be able to remember it

One reason for this is that organisations have to show that they are serious about security, and practices like password aging are easy 'objective' metrics to demonstrate, even if they do not provide a measurable improvement in security.

7. Don't re-use passwords across sites (1)

hrimhari (1241292) | more than 4 years ago | (#31502254)

TFA:

This would appear to include only the cases where
the user is phished (rather than keylogged) or a rogue
employee steals the credentials from A. This appears
a minor reduction of risk for a 3.9x magnication of
password management effort.

Unless the user in question uses facebook. [slashdot.org] Or rather is a rival of the site he's using.

XP Updates (1)

drumcat (1659893) | more than 4 years ago | (#31502512)

What is rational about all the hurdles you have to jump through now?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?