Maybe IT needs to tone down its security awareness efforts. New research by psychologists into password strength delivered the non-intuitive conclusion that users who are well briefed on the severity of security threats will not, as IT had hoped, create stronger passwords to better protect themselves.
They actually tend to create much weaker passwords because the briefings make them feel helpless, as if any efforts to defend against these threats are pointless.
The research, from a Montclair State University study — detailed here in a story from The Atlantic — suggests that IT staffers need to make sure that they emphasize how powerful a defense passwords, PINs and secure phrases can be in defending against threats, at least until we are able to deploy better authenticators.
Prof. Stanislav Mamonov, who oversaw the study, said the results had been unexpected. “The reason, Mamonov thinks, has a lot to do with people’s perceptions of surveillance,” the Atlantic story said. “He guessed that study participants would have wanted to protect themselves against it. Instead, he says, the magnitude of the threat seems to have instilled a sense of helplessness that made them less likely to put an effort into securing themselves.”
This is just wacky enough to be true. It makes sense that, when users try to internalize things such as Yahoo’s half-billion users getting breached and a huge DDoS attack made via IoT devices, they might feel that no defense — at least nothing a user can do, such as choosing a password — is enough to defend against these attacks.
But that’s looking at it wrong. Yes, these huge attacks are, sadly, part of a normal IT day. Each user, though, only has to defend one person’s data. A complicated password — or an even longer, but memorizable, password phrase — can help, especially if the user never, ever uses the same password/phrase for more than one service.
Users who want to keep their own data safe might think of the use of truly strong passwords as something like that old shark defense: When swimming in shark-invested waters, use the buddy system — if a shark attacks, give him your buddy.
In other words, your password only has to be stronger than those of your colleagues. Attackers will spend only so much time on any one account. At a certain point, it’s no longer cost-effective, so they’ll move on to another. The secret is to make sure that the time it takes to crack your credentials is more than the thief can justify. This works as long as most of your colleagues use easy passwords.
Another analogy is the two friends who find themselves being pursued by a tiger. The first guy starts running fast. “What are you doing?” the first friend asks. “You can’t outrun a tiger.” The reply: “I don’t have to outrun the tiger. I merely have to outrun you.”
Your password doesn’t have to be beyond the capabilities of the cyberthief. It simply needs to be better than most of your colleagues’ passwords.
This story, "Your users have porous passwords? Blame yourself, IT." was originally published by Computerworld.