Users Rejecting Security Advice Considered Rational 389
WeeBit writes "Researchers have different ideas as to why people fail to use security measures. Some feel that regardless of what happens, users will only do the minimum required. Others believe security tasks are rejected because users consider them to be a pain. A third group maintains user education is not working. [Microsoft Research's Cormac] Herley offers a different viewpoint. He contends that user rejection of security advice is based entirely on the economics of the process." Here is Dr. Herley's paper, So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users (PDF).
Re:Some security advice is not rational (Score:4, Informative)
Nobody breaks into people's houses to install hardware keyloggers to steal their online banking passwords. And yet, some banks put up "security measures" like on-screen keyboards you have to type on with a mouse just to avoid keyloggers.
Right. Good thing there's no such thing as a software keylogger [google.com].
-molo
Re:Microsoft Researcher using TeX. (Score:2, Informative)
That's because TeX is awesome.[*]
[*]If you're writing a conference paper or a journal article or a thesis. For other uses, YMMV.
Re:It's obvious (Score:4, Informative)
It seems that several year ago, the /etc/passwd file was world readable (since it had to be read in order to log in), and that both the username and password was stored there. (Now the passwords are stored in /etc/shadow which is not world readable.) It was fairly simple for someone to download a passwd file and then run it through a dictionary cracker to find the passwords. In the early 80's it was found that a dedicated mainframe could crack any dictionary word in the passwd file in about eight weeks. If the hacker only had access for a couple hours a day, it could take up to four months. (If a complex password was used, it would take much longer or possibly never be cracked.) Therefore, if a person changed his password every 30 days, he could be sure that by the time the hacker cracked his password, it had been changed.
However, as computers became more powerful, the time to crack passwords from a passwd file became less and less, a better solution needed to be found. One method was to separate the password from the username into a shadow file, and make sure that the shadow file was not world readable. A cracker would need to break into the computer with root privileges in order to read the password file so that they could break into the computer.
Unfortunately, the above explanation is long, complicated, and goes against "best practices." I have tried pointing that out to several "Security experts" without any success. Pointing out that passwords will be written down if they have to be changed often will not help much either.
Re:What's up with /. Headlines? (Score:2, Informative)
In this case, it's a reference to an old pre-Internet computing meme, most famously seen in the paper "Go To Statement Considered Harmful". See here [wikipedia.org].
Re:Wasted time (Score:3, Informative)
The problem is, a couple of years ago, RAR released a new version (which gave it a lead in the industry in compression ratio for a brief time), incompatible with the older versions (old decompressors couldn't decompress stuff compressed with the new RAR). It took all the others between a few months and a few years to include support for it. 7zip being notoriously behind. So while it nominally supported ".rar", it lacked support for the "new RAR" for a couple of years.