Browse archive

Latest news

APT1 is back, attacks many of the initial U.S. corporate targets

Aurora attackers were looking for Google's surveillance database

U.S. DOJ accuses journalist of espionage

A closer look at Mega cloud storage

CISOs need to engage with the board

Wi-Fi client security weaknesses still prevalent

"NATO vacancies" phishing email also leads to malware

Find TrueCrypt and BitLocker encrypted containers and images

Sourcefire goes beyond the sandbox

The CSO perspective on healthcare security and compliance

Jailed hacker designs device to thwart ATM card skimming

U.S. Congress has questions about Google Glass and privacy

Over 45% of IT pros snitch on their colleagues

Hacking charge stations for electric cars

Password handling: challenges, costs, and current behavior

by Stephen Cobb - ESET Security Evangelist - Friday, 7 December 2012.

Online passwords are a pain, and not just when you have to type them to access your online bank account or shop at your favorite digital emporium. Password pain extends to the people who have to manage them. A few weeks ago we shared some initial findings from a recent poll of 2,129 U.S. adults (aged 18 and over) conducted for ESET by Harris Interactive.

Consider how people react to a request to change their online password. Here’s how people answered when we asked: If a social media site or online company with whom you have an account requests that you change your password, which of the following would you most likely do?

Always change my password: 31%
Sometimes change my password: 19%
Ignore the request: 18%
Contact company to see if request is genuine: 32%

In other words, a company asking its online account users to change their password can only count on 3 out of 10 them making the change. Half of the requests will either be ignored or, in a reflection of the sad state of online trust, generate some sort of customer service contact seeking verification of the request.

This finding provides a fresh way of looking at the cost of distrust. If a security breach creates a need to request 3 million users to reset their online passwords, you could be looking at 1 million unbudgeted customer service contacts. If you can keep average cost per contact as low as $1 that is still a $1 million bill.

Switching to a user perspective on passwords, I think many of us share the feeling that password changing is burdensome. That burden can mean passwords are not changed as often as they should be to properly protect accounts.

Nevertheless, our survey revealed that some people are making an effort. We asked "How frequently do you change the password for the online account you use most often?" Here's a breakdown of the responses:

About once a year: 46%
About once every 6 months: 31%
At least once a month: 8%
Never: 16%

Of course, when you map those frequencies against the current levels of online attack they might not seem adequate, but frankly they are better than I expected (I would like to research the extent to which some of these changes were due to the online account itself forcing a change, as opposed to the self-motivated diligence of the respondents).