[dba-Tech] Why we ignore security advice.

Jim Lawrence accessd at shaw.ca
Sun Nov 29 11:06:34 CST 2009 

Hi Max:

This is definitely a very useful program. A lot of my clients use it. My
personal passwords I remember as there are only about 40. 

Jim


-----Original Message-----
From: dba-tech-bounces at databaseadvisors.com
[mailto:dba-tech-bounces at databaseadvisors.com] On Behalf Of Mark Breen
Sent: Sunday, November 29, 2009 7:34 AM
To: Discussion of Hardware and Software issues
Subject: Re: [dba-Tech] Why we ignore security advice.

Hello All,

I have a wonderful free program named Whisper32
<http://www.snapfiles.com/get/whisperxp.html>that I am using for a year now,
it stores all my passwords, in encrypted form, and it has a super facility
to generate strong passwords.  When I create a new users nowadays, I first
enter the username in Whisper32
<http://www.snapfiles.com/get/whisperxp.html>and then I generate a 10 - 20
character super strong password.  I no longer attempt to remember the
passwords other than a few systems.

I have also used it from time to time to change passwords with people,
although to do that, one must first agree on the password for the Whisper
that will be exchanged.  IOW, this works if you have to regularly share
confidential data but less useful for a one off situation.

Of course the whisper32 file must also have a big long password, but once I
remember that, I have all my passwords.  from time to time, I email the file
to myself, so if I lost the file, it would be backed up in Gmail archives.

It takes one of the stresses off me.

Mark


2009/11/28 Tina Norris Fields <tinanfields at torchlake.com>

> A very interesting article, Stuart.  Thanks.  The author makes a point
> that is hard to refute in terms of cost-benefit ratio to the user.
> Still, I just can't break the habit of trying to keep my stuff secure.
> So, even if it takes me more than a couple minutes a year, I'm going to
> keep my protection up-to-date and run my scans regularly.  As for
> passwords, I keep them in an encrypted file somewhere I know how to
> find.  Thanks again, a good read.  :-)
> T
>
> Stuart McLachlan wrote:
> > <http://research.microsoft.com/en-
> > us/um/people/cormac/papers/2009/SoLongAndNoThanks.pdf>
> >
> > ABSTRACT:
> >
> > It is often suggested that users are hopelessly lazy and unmotivated on
> security questions.
> > They chose weak passwords, ignore security warnings, and are oblivious
to
> certificates
> > errors.   We argue that users´ rejection of the security advice they
> receive is entirely rational
> > from  an  economic perspective.   The  advice  offers  to shield them
> from the direct costs of
> > attacks, but burdens them with far greater indirect costs in the form of
> effort. Looking at
> > various examples of security advice we find that the advice is complex
> and growing, but the
> > benefit is largely speculative or moot. For example, much of the advice
> concerning
> > passwords is outdated and does little to address actual treats, and
fully
> 100% of certificate
> > error warnings appear to be false positives.  Further, if users spent
> even a minute a day
> > reading URLs to avoid phishing, the cost (in terms of user time) would
be
> two orders  of
> > magnitude  greater  than  all  phishing  losses. Thus we find that most
> security advice simply
> > offers a poor cost-benefit tradeoff to users and is rejected.  Security
> advice is a daily burden,
> > applied to the whole population, while an upper bound on the benefit is
> the harm suffered by
> > the fraction that become victims annually.  When that fraction is small,
> designing security
> > advice that is beneficial is very hard.  For example, it makes little
> sense to burden all users
> > with a daily task to spare 0.01% of them a modest annual pain.
> > Stuart McLachlan
> >
> > _______________________________________________
> > dba-Tech mailing list
> > dba-Tech at databaseadvisors.com
> > http://databaseadvisors.com/mailman/listinfo/dba-tech
> > Website: http://www.databaseadvisors.com
> >
> >
> _______________________________________________
> dba-Tech mailing list
> dba-Tech at databaseadvisors.com
> http://databaseadvisors.com/mailman/listinfo/dba-tech
> Website: http://www.databaseadvisors.com
>
_______________________________________________
dba-Tech mailing list
dba-Tech at databaseadvisors.com
http://databaseadvisors.com/mailman/listinfo/dba-tech
Website: http://www.databaseadvisors.com

More information about the dba-Tech mailing list