Interesting People mailing list archives
re good read: Please do not change your password
From: Dave Farber <dfarber () me com>
Date: Sat, 17 Apr 2010 19:33:58 -0400
Begin forwarded message:
From: Benjamin Kuipers <kuipers () umich edu> Date: April 17, 2010 12:01:11 PM EDT To: dave () farber net Cc: ip <ip () v2 listbox com>, "Jonathan S. Shapiro" <shap () eros-os org>, Benjamin Kuipers <kuipers () umich edu> Subject: Re: [IP] good read: Please do not change your password
Jonathan Shapiro makes a good point about the limitations of Herley's argument, but his own example about insurance contains a similar limitation. Insurance is a rational investment because the *utility* functions of the individual insurance-purchasers are different from the utility function of the insurance company that aggregates the risk. For an individual, the negative utility of a loss increases non-linearly with the dollar cost. The insurance company has a large enough asset base and risk pool so its utility function can increase linearly with cost. The disparity of the two utility functions makes the insurance deal (in principle) a good deal from both sides. That is, if I get seriously injured or ill, medical bills in the millions could bankrupt me and my family, while paying a few thousand a year for insurance will not make a qualitative difference to my life (though the quantitative difference might still be annoying). Carrying this back to password security, Gene Spafford's point is relevant. The small but annoying cost of continually changing passwords does not actually provide the coverage one might believe, since the risks have changed. It's like paying those insurance premiums, and then discovering when it's too late that the insurance company won't cover your loss. Ben Kuipers At 2:15 PM -0400 4/16/10, Dave Farber wrote:Begin forwarded message:From: "Jonathan S. Shapiro" <shap () eros-os org> Date: April 16, 2010 12:27:18 PM EDT To: dave () farber netSubject: Re: [IP] good read: Please do not change your password...Under Herley's argument, rational actors should also dispense with home insurance, life insurance, and automobile insurance. Indeed we should dispense with *any* insurance. Insurance policies do not insure in areas where they will lose money. Therefore, if insurance exists, the expected cost to the buyer is higher than the expected loss....Jonthan ShapiroArchives-- Benjamin Kuipers, Professor email: kuipers () umich edu Computer Science and Engineering tel: 1-734-647-6887 University of Michigan fax: 1-734-763-1260 2260 Hayward Street http://eecs.umich.edu/~kuipers Ann Arbor, Michigan 48109 USA
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- re good read: Please do not change your password Dave Farber (Apr 16)
- <Possible follow-ups>
- re good read: Please do not change your password Dave Farber (Apr 17)