Re: Are users right in rejecting security advice?

[Russell Fulton <r.fulton () AUCKLAND AC NZ>]

sent via Iron port test set up.  Please report any oddities :)



On 18/03/2010, at 3:56 AM, Joe St Sauver wrote:

> Regarding passwords, Russell Fulton <r.fulton () AUCKLAND AC NZ> mentioned:
>
> #The general consensus seems to be that there is value in getting users 
> #to change their passwords at, say, yearly intervals but as you increase 
> #the frequency the cost to the user escalates and eventually they will 
> #start writing the passwords down and sticking them to the screen and 
> #even before that happens the cost in terms of frustration is significant 
> #and may well outweigh any real security benefits.
>
> In my experience, the problem isn't the *frequency* of the changes that's 
> the problem, rather it is the:

[heaps of good stuff snipped]

Yes, Joe is right -- it isn't just the frequency that is the issue -- I had over simplified.  It still boils down to 
the fact that passwords are inadequate protection for anything you really care about.

I also agree with most of Joe's other comments on my post -- I was being deliberatively provocative (in keeping with 
the thread :) and it is good to see all this follow up!

On the issue of Best Practice -- my real complaint is that the term is over used and what is best practice in one set 
circumstances may be sub optimal in others.   I am all for having standard practices documented so long as the 
assumptions of the analysis are spelt out -- most often they are not.  So people implement what they are told is best 
practice but in fact is far from it.

Thanks too to Valdis for clarifying the issue over budgets.  This is an illustration of the weakness in tracking real 
costs.  The cost of people's time and frustration do not make it into financial reports -- they just haemorrhage 
invisibly.

Russell