This article by Felix Salmon talks about many of the security measures we all find so annoying when dealing with our online accounts, and refers to them collectively as "security theater" as if they did no more good than making airline passengers remove their shoes and get rid of their bottled water. The specific things he mentions as being security theater are:
- Having to change his password regularly
- Having to delete old emails
- Account security on his bank's website
- Not being able to read his password as he's typing it in
Let's take these one at a time...
1. Having to change his password regularly - This is the closest Mr. Salmon comes to making a point. But first he misleads his readers about why companies use forced password changes - he claims that making people change their passwords is useless because a hacker won't wait to exploit a stolen password, but this is not designed to thwart hackers. The reasoning behind making people change their passwords regularly is that people tend to tell other people their passwords, or else use the same password everywhere they need one, and if you make them change it you can mitigate these factors - after a month or 90 days or whatever, that person and/or other company will no longer have your user's current password. The downside is that it disincentives people from using strong passwords - why take the time to memorize a complicated password when you can only use it for two months anyway? Some companies make people change their passwords often, and also place restrictions that force people to use strong passwords. This combination seems to me to be begging people to write their passwords on a post-it note and stick it to their monitor. Personally I don't make people change their passwords unless there's a particular need. I think it's better to make people use a strong password and let them keep it for a while. But that's a decision I made based on my company and my specific circumstances.
2. Having to delete old emails - Reuters gives employees extremely limited email storage space, forcing the employees to delete old messages to stay under the storage quota. Salmon again misconstrues what this is designed to accomplish - he goes on and on about how cheap disks are these days, forgetting that 1. Highly-available redundantly-stored server storage space costs a bit more than a Caviar Blue from Newegg, 2. Electricity to power that highly-available redundantly-stored server storage 24/7 costs a pretty penny, 3. A building to house that highly-available redundantly-stored server storage costs a bit as well, 4. Paying IT people to setup, maintain, and repair that highly-available redundantly-stored server storage costs money, but most importantly 5. Email (non-)retention policies like that have almost nothing to do with the cost of storing old emails, and almost everything to do with potential liability, ie, how much incriminating evidence do you have on-hand once the subpoenas start arriving. Just think how much better off Microsoft would have been if they'd been able to tell the DOJ "Sorry, it's our long-standing policy to delete any email more than a month old, you're free to anything from the last 30 days though." Even the Bush White House learned that lesson.
3. Account security on his bank's website - He had trouble filling out the security question on his bank's website, misread a prompt or two, ended up having to call their customer support line to get himself straightened out, and sees this as a reason why bank website security is a waste. He says that the cost of paying the support people to get him straightened out is more than the money saved by the security. First of all, exactly what is his alternative to security on a bank website? Here's a list of names, click yours and you're in? I don't get that. Second of all, the cost of paying people to help customers figure out how to enter both a password and the name of the street they grew up on is not an automatic cost of security, it's a cost of having customers who can't figure out how to answer two different prompts correctly. Does it cost banks a lot of money to have support people standing by to help people who can't figure out the web interface? Sure. Does it cost more than it did twenty years ago when there was no web interface and every single customer needed a support person just to do everyday banking? No, of course not. Thanks to online banking, banks these days need fewer tellers, fewer physical locations, and only enough phone support people to get customers onto the website, rather than enough to help every customer do all of their banking. And again, what's the alternative to having security measures on bank websites? I'd honestly love to hear that.
4. Not being able to read his password as he's typing it in - As anyone who has ever typed a password knows, when you type it in you can't read along, the characters are masked. This is done so that if someone is watching over your shoulder, they can't read your password. Mr. Salmon makes no actual argument against this practice other than calling it "idiotic," but the site he links to posits that a person behind you could simply watch the keyboard as you're typing and get your password that way, and anyway there's hardly ever a person standing behind you when you type a password. Apparently whoever wrote that has never tried to decipher what someone is typing merely by watching the keyboard, or had to unlock anything while someone stood by and waited for it, or shared an office where co-workers could see their screen all day, every day. The writer seriously suggests offering a checkbox so the user can choose whether or not to mask the password, as if any user ever would choose security over convenience. Users want ease of use, period. For example, Felix Salmon just said he wants to be able to get into his bank account online without any security getting in the way! That's why you need security people to worry about security.
So, to recap: Mr. Salmon is correct that changing passwords regularly will not prevent a hacker from exploiting a stolen password, but woefully off-base in that he thinks changing passwords regularly is a security practice aimed at preventing hackers from exploiting stolen passwords; He vastly underestimates the short-term cost of email storage space, and seems to not acknowledge or not be aware of the existence of the long-term cost, while misconstruing email storage limits as having anything to do with storage costs; I have no idea what he wants his bank's website to do to secure his account; and he wants anybody within ten feet to be able to read your password.
I... disagree.
No comments:
Post a Comment