[tech] Password, password, what have you heard?

[jaylake]

As you might imagine, I've been doing an enormous amount of work lately on various Web sites. Banking, financial services, health insurance, disability insurance, Social Security, and so forth

Comments

[a_cubed]

If you (or other regular readers) really want, I can point you to numerous papers about the weaknesses of these systems, why we still use passwords, all sorts of alternatives (and analyses of why they haven't been adopted), and also about some of the counterintuitive elements of the "strong" password requirements and how in many cases they leave many users with weaker passwords despite their rules.
Security and privacy are hard, usability is hard. Usable security and privacy are not just double-hard but hard-squared.

a-cubed, chair of USEC 13, the 2013 Workshop on Usable Security.

[icedrake]

Would you point me to discussion of alternatives, actually? Only one I'm aware of are passphrases (admittedly because I've never made the concerted effort to look into the subject)

[joycemocha]

It's surprising, especially given HIPPA confidentiality snake dances. I always cringe when my paperwork process involves HIPPA issues, because that triples the amount of time I have to spend on that one case--and it's all around that HIPPA confidentiality stuff.

[wild_irises]

*nods*

My work insists that passwords be 9 or 10 characters long and contain no double letters. My security-minded friends say this is a very bad policy.

[brickhousewench]

As someone who has worked in the software industry for a decade, i can tell you that the two industries that MOST need to guard their data (medical and financial) are the two industries that are slowest to upgrade their systems. I don't know if it's fear of change, their desire to hold off on upgrading until they've thoroughly tested a new system, or just plain foolish penny pinching to keep costs down, but I've seen it over and over again. I keep asking at my current job why we still support Internet Explorer 6 for our product, and it's because one of our customers (a financial company) is still using a browser so buggy that even Microsoft themselves tells you not to use it.

[jaylake]

I also work a lot with both the financial and medical industries in my Day Jobbe. My experience is that the conservatism comes in part from liability fears. A system which at any point was approved is essentially grandfathered for liability purposes, even if now serious outdated. Making any change, even one undeniably to the better, strips away that safe harbor and opens the door to major liability issues

[msconduct]

This doesn't surprise me in the least. I co-own a database consultancy, and at the multiple sites we have gone onto security is invariably appalling. Common example: everybody including casual users using the same administrator-level ID and password, so that there's little security and no traceability. If we point security flaws out, the news is met with utter indifference - even *after* they've had terrifying security failures. And we work with corporates, not small companies who are beginners in this kind of thing. Granted, IT is pretty bodgy in New Zealand due to the paucity of people who know what they're doing - it's the wild frontier. Perhaps things are better in the US. I certainly hope so.

[msconduct]

PS: my business partner urges me to add that when I say "terrifying security failure" I mean "theft of $120 million". And they still did nothing!