Thoughts about the “Study: Frequent password changes are useless” article on Yahoo News

17 04 2010

I recently read the article Frequent password changes are useless

After giving this some thought, a couple of things struck me as being very important but easily overlooked. Both are related to this paragraph,

“Rather, frequent password changes are simply a waste of time and, therefore, money. According to the Microsoft researcher’s very rough calculations: To be economically justifiable, each minute per day that computer users spend on changing passwords (or on any security measure) should yield $16 billion in annual savings from averted harm. No one can cite a real statistic on password changes’ averted losses, but few would estimate it’s anywhere approaching $16 billion a year.”

The article says “frequent password changes are simply a waste of time” and it does not define frequent. By frequent do they mean daily, weekly, monthly? I would not think that changing passwords once a quarter would qualify as frequent.

Note that that $16 billion is not for each company! It’s for the national aggregate. If your company only looses $1 million, that’s simply a small piece of the aggregate pie; but, for many companies, it could mean bankruptcy or, potentially, years of expensive, personal data breach litigation. If memory serves correctly, defense against this type of litigation depends heavily on having taken every ‘reasonable’ precaution. If one of those reasonable precautions is deemed to be frequent changes of passwords, then never changing passwords or changing them only once per year could mean additional loss of millions in court battles. Oh, one must also remember the fines and penalties if data protection laws are violated and loss of credibility in the market place when it’s your company that gets compromised.

Something to think about.

Old Tricks Still Working for Cyber Criminals

4 02 2010

It seems that, despite all of the innovation in data security, companies are still being plagued with problems from old methods of cyber crime.  One particular sentence in the article stuck out to me:

“In many cases, the management interfaces were accessible directly from the Internet and had little or no password protection, potentially allowing attackers to deploy their own malicious applications on the Web server.”

Sometimes, it’s very easy to forget about the simple things that we take for granted in securing our data.  With just a password, any cyber criminal can enjoy full access to sensitive information.  We need to take control of this measure and remember that passwords will always look to users for the most responsibility.  It does not matter how password protected something is if the password itself is released.  Human error may always be a part of data security, but with human error comes human solutions!  Be smart when accessing sensitive information and continually make changes to your passwords every so often.  Of course, anytime account activity seems suspicious, immediately change your password, which may be the simplest solution to what could be a very complex problem.  By remembering to complete this menial tasks, you can help support the security of your data and, ultimately, your organization.

I believe Captain Planet said it best, when he let us know that:

“The power is yours!”