It’s a waste of time. Mark Pothier in the Boston Globe:
Now, a study [link] has concluded what lots of us have long suspected: Many of these irritating security measures are a waste of time. The study, by a top researcher at Microsoft, found that instructions intended to spare us from costly computer attacks often exact a much steeper price in the form of user effort and time expended.
“Most security advice simply offers a poor cost-benefit trade-off to users,” wrote its author, Cormac Herley [link], a principal researcher for Microsoft Research.
Particularly dubious are the standard rules for creating and protecting website passwords, Herley found. For example, users are admonished to change passwords regularly, but redoing them is not an effective preventive step against online infiltration unless the cyber attacker (or evil colleague) who steals your sign-in sequence waits to employ it until after you’ve switched to a new one, Herley wrote. That’s about as likely as a crook lifting a house key and then waiting until the lock is changed before sticking it in the door.
I’m among those who have argued precisely that to our IT department. Even though the evidence is it’s costing endless hours of lost productivity, the practice isn’t likely to be changed soon.
Obviously, you should use a strong password. An analysis of 32 million breached passwords suggests too many of us don’t. The most common password there was “123456.”
Via All Things Considered. Techmeme has discussion.
Continue the conversation @jwindish #TMVcomments, at my Public Notebook where comment are open, or email me at joe-AT-joewindish-DOT-com. I can’t reply to all emails, but I will occasionally publish follow-up posts featuring reader feedback, including feedback that disagrees with me.