Monday, January 7, 2008

Educating Users Doesn't Work

Marcus Ranum has an excellent article which I find myself going back to often, it's titled The Six Dumbest Ideas in Computer Security. My favorite is number five, Educating Users.

On the surface of things, the idea of "Educating Users" seems less than dumb: education is always good. On the other hand, like "Penetrate and Patch" if it was going to work, it would have worked by now.

This ties directly into password policies as users (in the aggregate) have shown themselves to be completely incapable of managing something as complex as passwords and authentication. For several years now I've been operating a lab with a very simple password policy. Your password is random and no, you can't change it. It works because every human I've encountered thus far, when asked to type in a string of 8 completely random symbols on a daily basis rather quickly memorizes it. For those who do not log in on a daily basis, they are the ones most likely to pick duplicate or otherwise insecure passwords, or write it down anyway. So, they have a slip of paper that says 'your password is:' anyway, it just happens to be a good one.

And yes, I have been tracking the number of password resets requested, and no, there aren't very many. Also, those that do get reset, are often repeat customers who never bother to keep track of their password in the first place.

No comments:

Post a Comment