Why bother changing your password?

Last month, DarkReading had an article about how end users’ tend not to choose strong passwords, and indeed have poor password habits, due to their inability to draw a line of correlation between strong passwords and personal security.

End users routinely reject security advice and recommendations for strong passwords and for heeding dangerous Website warnings -- and that behavior makes perfect sense from an economic and psychological perspective, security experts say.

Cormac Herley, a researcher in the Microsoft Research organization, says end users are understandably noncompliant because there just isn't explicit proof that creating a strong password, for example, makes them less likely to have their accounts hacked. "Security people are trained to look for the worst-case analysis, but users don't think that way," says Herley, who emphasizes his opinions are his own and not that of Microsoft. "For example, users are told not to reuse passwords across accounts because if an attacker gets one, [he] might be able to get into their other accounts. But we don't know how often that does happen."

Most security training and advice aren't compelling enough for users to accept them, he says. The approach is telling them to reduce the risk, but "it's an unknown risk," Herley says. "That doesn't seem to be compelling to people."

In another article that I read this past weekend but can now no longer find, some use the argument that the e-security industry lacks the consistent or simple message of the health industry, or the automobile industry.  If you smoke, you will get cancer.  If you don’t use your seat belt, you are more likely to die in a car accident.  In security, the message is convoluted; if you don’t have a secure password, then in the not-all-that-likely that you have your account attacked, it will take an attacker longer to break into your account.  But oh yes, there are lots of other things that you have to do as well.

In other words, end users don’t see a direct benefit of implementing all of the security recommendations that experts urge them to do.  People also hear a lot about threats and it seems like no matter what they do, there is still a good chance that they will get hacked or have their accounts stolen anyhow.  Given that they lack proof that strong passwords work, it’s no wonder that people ignore our security advice.

So what can we do about it?  Make things simpler?  Sacrifice truth for clarity?  It’s difficult to say because the attack vectors are wide. 

If end users are then provided hard numbers on the harmful effects of not recognizing phishing URL cues or using and reusing weak passwords, Herley wants to determine whether this would change their behavior. "Does it change things if we give them better reasons [to follow security guidelines]?" he asks. That would mean giving them information on how a strong password reduces their risk by this specific amount, for example, he says.

Schneier says it all depends on incentive: If there's no specific consequence to a user for breaking a security policy, then he isn't likely to change his ways. "Their bonus is not based on security, but whether they get their job done. You get the behaviors you [reward]," he says.

Indeed.

That last line is something I have been preaching internally for a while when it comes to outbound spam.  A few months ago I shifted my perspective on how we deal with it.  We filter all of our outbound mail and take action on spam.  We then open a support ticket to disable the user’s account.  If the spam is currently not being marked as spam by our filters, then we mark it as a higher priority ticket than if it is being marked as spam.  The idea is that we have to react quickly to spam that we know we are not automatically catching.  The difference is in support response time because nobody can be on call to react to this stuff at all times and before we have auto-disablement built in.

I shifted my stance some time ago.  Now, I am of the opinion that no matter what our filters say, if someone has mail marked as spam, it should be a high priority action to disable the user’s account.  Unless that specific end user encounters a consequence for breaking our security policy, there is no motivation to change their behavior.  Changing that behavior is key to stopping outbound spam, whether it is by running up-to-date A/V software, ensuring that software patches are up-to-date, or not leaking one’s username and password to phishers.