Monday, June 14, 2010

Changing passwords a waste of time?

While I’m waiting for Bell Canada’s DSL internet service to be installed I’ve had some time to catch up on my reading. I was glancing through CIO Magazine and came across this short tidbit: “Study: Changing Passwords a Waste of Time” by Cormac Herley over at Microsoft Research. He says that changing passwords is basically a waste of time.
“A lot of advice makes sense only if we think user time has no value,” Herley explained. His back-of-the-envelope calculations suggest that if strict password requirements cost workers a minute of their time each day, that adds up to about $16 billion worth of lost time annually. Security recommendations, he reasons, should prevent at least that much in losses to be worth implementing.

For example, many U.S.banks reimburse customers who’ve been the victims of phishing attacks, but such payouts cost the entire industry only about $60 million a year. Herley estimates that if 10 percent of Wells Fargo’s customers need a customer service rep to help them reset a password, at $10 a reset, that costs the company $48 million – far more than its share of the industry total.

The answer, he says, is basing cost estimates on actual victimization rates, rather than worst-case-scenario projections, and prioritization accordingly.
I have a couple of comments about Herley’s study. The first one is I can’t blame him for picking Well’s Fargo as an example. I believe that somewhere I have read a case study that they actually implemented a solution to reduce the number of password resets they were doing so they probably aren’t the best example but how would he know? Also, most companies nowadays have implemented some sort of self-service password reset solution so I am again not so sure about his theory. Anyway, while sitting here I figured I’d do the math on this problem:
  • $48 million/year at $10/reset = 4.8 million password resets per year
  • 4.8 million password resets/365 = 13,150 password resets per day
  • 13,150 password resets per day/1440 = 9 password resets per minute (let’s round up to 10 resets per minute)
  • Assume 3 shifts of 10 workers at a generous $50K/worker = $1,500,000
$1.5M is a far way from $48M even if you feel my numbers are low but I don’t think they’re off by a factor of 30 or so. Anyway, the moral of the story is two-fold:
  1. Check your math – both ways to make sure things make sense.
  2. It may be cheaper not to put locks on your doors because you have insurance but is it really worth the hassle of having to spend so much time with the insurance people, the police and who knows who else every time you have something stolen from you?
I’ll stick to a strong policy regarding passwords thank you very much.


Unknown said...

Your numbers are purely theoretical. If you think 10 employees within an 8 hour shift could handle password resets for 48 million customers. Well, I hope you don't run my customer service department.

Unknown said...

Mark - Thanks for your comment. I based my numbers purely on the fact that that the author stated end users lost 1 minute of productivity because of password resets. I think that number was purely theoretical too!

Neither of our situations - the authors, or mine - should happen in real life. Self-service password reset or the use of tokens can eliminate the problem to a great extent.