Re: Are users right in rejecting security advice?

[Valdis Kletnieks <Valdis.Kletnieks () VT EDU>]

On Wed, 17 Mar 2010 21:18:08 +1300, Russell Fulton said:
> So why don't we all do this?  Because 2fa is an identifiable and
> quantifiable cost that some part of the organisation has to pay whereas
> getting users to change their passwords does not come out of anyones
> budget.

A small but important correction here - it isn't *visibly* coming out of
any *one* specific budget as a line item, because it's causing nickel-and-dime
hemorrhaging out of *every* business unit's budget.

Remember to include second-order effects - you noted the increased tendency
to post-it the passwords, which is a security cost.  Also, you have a fighting
chance that a user will pick a good password when given time to change it,
but you *know* they're going to pick something fast and stupid when they're
looking at that 'Your password will expire in 0 days - mandatory change now'
prompt. ;)

Attachment: _bin
Description: