by Jimmy Marks
Wait...what did this article just say?
From Business Week:
The Problem with Passwords
They're annoying to remember, insecure, and costly for companies.
Average amount it costs a business to field a phone call requesting a password reset: $10
Proportion of help desk calls that are password-related: 30%
Users who choose a common word or simple key combination for a password: 50%
Wow, that's surprising. But is it really a problem with passwords, BusinessWeek? Someone calling for a password reset has forgotten their password. That's not the password's fault, that's human error. Yes, we as a society have a lot of passwords to remember. It's frustrating, sure. But it's also worth the time it takes to add entropy, and why? Because every site is of some importance to its user.
What if someone busted into your Facebook account and started saying racist/sexist things or working to get you in trouble with your company? I've seen it happen to people before. It's awful and it really makes trouble for the victim. How about your email? making your email easy to crack leaves you open to all manner of ills. Getting all your other passwords is a snap for the guy who breaks into your email inbox because he can hit your online banking provider and start screwing with your money, or cancel accounts, or break in later for his own purposes. And what happens when the hacker in your inbox starts jamming your email address into "forgot password?" forms on your most visited websites? It's a recipe for disaster.
To be fair to BusinessWeek, I'm not sure this was meant to be a full article. I think it's a sidebar snippet that got repurposed. There aren't a lot of suggestions about how to make security better. There ARE, however, some interesting numbers suggesting how hard it is to guess a password that's X number of characters long and Y degrees of complexity.
From the same "article":
Length: 6 characters
Lowercase: 10 minutes
+ Uppercase: 10 hours
+ Nos. & Symbols: 18 days
Length: 7 characters
Lowercase: 4 hours
+ Uppercase: 23 days
+ Nos. & Symbols: 4 years
Length: 8 characters
Lowercase: 4 days
+ Uppercase: 3 years
+ Nos. & Symbols: 463 years
Length: 9 characters
Lowercase: 4 months
+ Uppercase: 178 years
+ Nos. & Symbols: 44,530 years;
The more characters - uppercase, lowercase, numbers, symbols - you add to the password, the more secure it is.
And I'll put a nickel on the bet that you've started thinking "more than eight characters?!? Who can remember that!"
You could. If you cared. But we've done a bad job as web professionals and managers of information. We've conditioned people to think of passwords as another step in getting the information you want, not the first line of defense against intrusion and destruction. Forgot your password? We can reset it. I don't know who manages password resets primarily by call, most sites use a system of emails with specialized links that go to reset pages. But if it really costs you ten bucks to reset a password by phone, eat the cost. Why? Because getting blamed for lapsed, broken security will cost you a lot more - in lost business, bad publicity and possible lawsuits by victims of phishers, scammers, hackers and other ne'er-do-wells.
So what's the solution? Get serious about passwords and layers of protection. Require passwords to have the unusual, difficult-to-guess characters that keep customers safe. Toy with multi-factor identification. Lockout anyone that tries a password more than five times. Lockout anyone that's been inactive for five or more minutes.
Be smarter than you are convenient. Don't be to blame when someone's information is compromised...or when your own is.