One of the main security tips - periodically changing your passwords on different sites - is not correct from the user's point of view.
Cormac Hurley (Cormac Herley), one of the leading researchers at Microsoft Research, has published a paper that calculates the ratio of labor costs and benefits of changing passwords. It turned out that this procedure, ultimately, is not beneficial for the user, like some other security procedures,
writes the NY Times.
Actually, many of the ordinary users feel this on an intuitive level. If they do not have any valuable information, then why waste time and energy on defense. Now Microsoft has confirmed it officially.
')
Security experts have long called for the formation of users and increasing their literacy. Hurley argues that this approach is fundamentally wrong.
"Most security tips simply offer the user a disadvantageous cost-benefit ratio," writes Cormac Hurley. According to him, security measures on many websites are particularly stupid. For example, if sites require periodically changing the password. It is hard to imagine that an attacker who knows the password will wait until the password is changed. That is, in case of password theft, its change is practically useless, because if hacking were possible, it would have already occurred.
Hurley believes that some other security measures are also disadvantageous to the user, including reading messages in the browser about the expired site certificate, when most of these messages do not constitute a threat.
According to a leading Microsoft researcher, ordinary people are forced to take too many steps to protect their own computer. He says that when security measures are not respected, security specialists are used to talking about user illiteracy, but they usually do not take into account the cost of their time. In their opinion, user time is free. In fact, it is simply not profitable for people to comply with most of these complex procedures.
Hurley makes this calculation: if you take the cost of labor close to the minimum, then one minute per day, spent daily by 200 million American users, costs the society about $ 16 billion a year. That is the price required by security experts for compliance with their procedures. It's too much.
For example, the annual damage of banks from phishing is about $ 60 million. If you force bank customers to spend at least a few minutes to protect against phishing, then the cost of protection will exceed the potential damage tenfold. These costs are partly borne by the banks themselves, which are forced to introduce new services and provide technical support to users about the new procedures. As a result, the cost of protection is many times greater than the damage.
Hurley's study was published at a computer security hearing at Oxford University last fall (
PDF ), but a wide discussion among experts of this theory began about a month ago, after an
article in TechRepublic .