Your efforts at raising security awareness could be making users feel that it’s pointless to try to protect themselves Credit: MareKuliasz/iStock/Thinkstock Maybe IT needs to tone down its security awareness efforts. New research by psychologists into password strength delivered the non-intuitive conclusion that users who are well briefed on the severity of security threats will not, as IT had hoped, create stronger passwords to better protect themselves.They actually tend to create much weaker passwords because the briefings make them feel helpless, as if any efforts to defend against these threats are pointless.The research, from a Montclair State University study — detailed here in a story from The Atlantic — suggests that IT staffers need to make sure that they emphasize how powerful a defense passwords, PINs and secure phrases can be in defending against threats, at least until we are able to deploy better authenticators.Prof. Stanislav Mamonov, who oversaw the study, said the results had been unexpected. “The reason, Mamonov thinks, has a lot to do with people’s perceptions of surveillance,” the Atlantic story said. “He guessed that study participants would have wanted to protect themselves against it. Instead, he says, the magnitude of the threat seems to have instilled a sense of helplessness that made them less likely to put an effort into securing themselves.” This is just wacky enough to be true. It makes sense that, when users try to internalize things such as Yahoo’s half-billion users getting breached and a huge DDoS attack made via IoT devices, they might feel that no defense — at least nothing a user can do, such as choosing a password — is enough to defend against these attacks.But that’s looking at it wrong. Yes, these huge attacks are, sadly, part of a normal IT day. Each user, though, only has to defend one person’s data. A complicated password — or an even longer, but memorizable, password phrase — can help, especially if the user never, ever uses the same password/phrase for more than one service. Users who want to keep their own data safe might think of the use of truly strong passwords as something like that old shark defense: When swimming in shark-invested waters, use the buddy system — if a shark attacks, give him your buddy.In other words, your password only has to be stronger than those of your colleagues. Attackers will spend only so much time on any one account. At a certain point, it’s no longer cost-effective, so they’ll move on to another. The secret is to make sure that the time it takes to crack your credentials is more than the thief can justify. This works as long as most of your colleagues use easy passwords.Another analogy is the two friends who find themselves being pursued by a tiger. The first guy starts running fast. “What are you doing?” the first friend asks. “You can’t outrun a tiger.” The reply: “I don’t have to outrun the tiger. I merely have to outrun you.”Your password doesn’t have to be beyond the capabilities of the cyberthief. It simply needs to be better than most of your colleagues’ passwords. Related content news Okta launches Cybersecurity Workforce Development Initiative New philanthropic and educational grants aim to advance inclusive pathways into cybersecurity and technology careers. By Michael Hill Oct 04, 2023 3 mins IT Skills Careers Security news New critical AI vulnerabilities in TorchServe put thousands of AI models at risk The vulnerabilities can completely compromise the AI infrastructure of the world’s biggest businesses, Oligo Security said. By Shweta Sharma Oct 04, 2023 4 mins Vulnerabilities news ChatGPT “not a reliable” tool for detecting vulnerabilities in developed code NCC Group report claims machine learning models show strong promise in detecting novel zero-day attacks. By Michael Hill Oct 04, 2023 3 mins DevSecOps Generative AI Vulnerabilities news Google Chrome zero-day jumps onto CISA's known vulnerability list A serious security flaw in Google Chrome, which was discovered under active exploitation in the wild, is a new addition to the Cybersecurity and Infrastructure Agency’s Known Exploited vulnerabilities catalog. By Jon Gold Oct 03, 2023 3 mins Zero-day vulnerability Podcasts Videos Resources Events SUBSCRIBE TO OUR NEWSLETTER From our editors straight to your inbox Get started by entering your email address below. Please enter a valid email address Subscribe