Pesky passwords
Do you cringe every time the expert on the radio tells you that you need to change your password more often? Cringe no more. A specialist in psychology and security says these experts may be making the situation worse, not better.
Dr Jessica Barker, a psychologist who specialises in security awareness, says that scare tactics of telling people their password choices are poor and easily guessable is a counterproductive measure which only serves to reassure the user that they are just like everyone else and may inadvertently encourage bad practices.
The logic behind telling users to regularly change passwords is that if a hacker has stolen your password, frequent changes limit the damage they can do. This logic turns out to be flawed in two respects. Firstly, the response time of hackers these days is such that if they obtain your password now, in ten minutes time they'll have likely stripped your machine of everything of value, and installed zombieware or ransomware. Changing the password once a month will be a case of shutting the stable door long after the horse has bolted. Secondly, repeatedly forcing people to change passwords inevitably steers the user towards using simpler passwords which are more memorable, or even predictable, and therefore a much easier nut to crack.
If you look at security advice websites, they will all say much the same thing, namely: use strong, obscure, hard to crack passwords, keep your software up to date, pay for a regularly-updated anti-virus scanner and a firewall, and don't open attachments in emails. They are all good advice in context, but they all reinforce the idea that the end-user is the cause of security failures when really they should be thought of as ways the end-user can possibly stave off problems caused by widespread failings in computer software design.
If you are running Windows 10, your PC will probably have recently installed a huge set of updates called the Windows 10 Fall Creators Update. In explaining what's new in this edition, Microsoft says "In Windows 10 Fall Creators Update we released Windows Defender Exploit Guard, a new set of intrusion prevention capabilities. One of its features, controlled folder access, stops ransomware in its tracks by preventing unauthorized access to your important files". That sounds like an improvement, but leaves me asking why on earth this is an add-on, an afterthought, instead of core functionality of the operating system, and a core design principle of the mainstream software we use? What business does any email attachment, PDF reader, or webpage have accessing and updating my file storage or address books without my explicit informed consent?
21st December 2017
This article comes from the SKILLZONE email newsletter, published monthly since January 2008, and covering topics related to technology and the internet. All articles and artwork in the SKILLZONE newsletter are orignal content.