Like Passwords for Chocolate, coming soon to a security theater near you

Is your password worth more to you than a bar of chocolate? Why not?

The biggest problem with password security today is not that they are too long and too hard to remember. In fact, How to get people to use strong passwords explains how we can neatly defuse that little issue. It is not that password policies are often abysmally bad, as in the case described in How does bad password policy like this even happen?, though that definitely is a problem. It is not even the way bad security advice masquerades as common sense for people who lack an understanding of how to solve both of those issues, a growing epidemic identified in Don't be fooled by the argument against unique passwords.

The biggest problem with password security today is simple:

Nobody cares.

Do you know why your IT department personnel have to wander around the offices once a month or so and check for sticky notes on monitors or pencil marks under keyboards to ensure people aren't writing down their passwords? I do: it is because your employees are not invested in the security of their workstations enough to care.

Do you know why your friend insists on using the name of his cat as a password for everything he does online, including his bank? I do: it is because he does not feel the danger of a security compromise with enough immediacy to care.

A perfect example of how people feel about their passwords, especially when they have it drilled into their heads that the computers they use at work (and thus the passwords that unlock those machines each morning) are not theirs and neither is any of the data they process, is a BBC News article from 2004, Passwords revealed by sweet deal. It tells us:

More than 70% of people would reveal their computer password in exchange for a bar of chocolate, a survey has found.

Of course, any security expert worth his salt should immediately stumble onto the obvious question -- and Bruce Schneier did when he commented on it three years ago:

I haven't seen any indication they actually verified that the passwords are real. I would certainly give up a fake password for a bar of chocolate.

If I have to go with my gut, though, I would say that probably at least fifty percent of people would give up real passwords without even thinking of trading a fake password for the chocolate bar. If they thought of it, they would probably just dismiss the idea, afraid they would be caught giving up a fake password.

Consider that notion, for a moment. How chilling is your realization of the state of security when you consider the idea that people are so socially programmed to accede to others' wishes that they are afraid to get caught giving up a fake password in exchange for a bar of chocolate? The entire situation is turned on its head. If anything, the person asking should be afraid of raising someone's ire for offering a paltry bar of chocolate in exchange for a password. Sadly, people just do not care about security, except in the voting booth when pondering the matter of "national security" -- or at least the appearance of "national security".

A big part of the problem is that the people in charge in various corporations do not actually care about whether you keep your password safe. They care about whether they can be sued, in the case of your bank, if someone else gets your password; they care about whether you will slack off at work, in the case of your employer; they care about whether you will trust them, in the case of antivirus vendors and their ilk. They do not really care about the security of your passwords at all.

Much of what masquerades as security in both public and private sectors is just an attempt by petty bureaucrats to avoid getting in trouble. As a result, the entire matter of password security is relegated to an exercise in playacting. It is widely distributed security theater, a nickel or a dime at a time. You cannot have an avalanche without the individual pebbles, and these pebbles add up in a hurry.

A little thinking about security -- just enough to account for the difference between people who do care about it and those who do not -- would protect against more than just a chocolate bar trade. It would also protect against cases where someone asks for your password at work, or to verify your identity over the telephone when calling tech support for your Internet service provider. It would protect against use of passwords that are incredibly short and easy to guess. It would protect against the stupidities of software developers who disallow all special characters and spaces and demand that no two letters or numbers are adjacent (requiring alternating letters and numbers) for login authentication systems.

All it really takes to get things rolling is to get people to care. Getting people to care is even pretty simple, in theory: Give them a sense of ownership, both of what must be protected and the consequences. If they have a sense of ownership of the data they are protecting, and of the harmful consequences of letting the security of that data get compromised, they will care about things like password security.

Sadly, the closest most employers get to instilling such a sense of ownership of the data and the consequences of a compromise looks something like this:

  1. The data is owned by the employer, as is the employee.
  2. The blame, if something goes wrong, is owned by the employee.

Consider the negative security effects of alienating your employees or customers from the data they generate. As people are desensitized to the value of the data they create or share by the ubiquitous claims of ownership over that data by the services they patronize or the employers for whom they work, they cease caring about its security. If people do not ever get to see any personal benefit from the value of what they produce or distribute, and only get to look forward to blame if something bad happens to it, their focus turns from caring about the data to caring about whether they get caught trying to do as little as possible.

In short, the real reason people will trade away their passwords for chocolate bars is that they have been given no reason to value the data those passwords protect as much as the measly dollar it would cost to buy their own chocolate bars. If you want people to exercise a little bit of good security practice in how they manage their passwords, first give them a reason to care about what those passwords protect.

Next, teach them that password management does not have to be difficult. For that purpose, you might try directing them to Five features of a good password manager.