Mike's random thoughts and ramblings

Infosec Incentives (or: I like paste)

Over at his blog, Adam has a great take on why MySpace passwords are better than corporate ones (referring back to Bruce Schneier's wired article). From Adam's entry:

"I'd like to offer up a different reason [for MySpace passwords being more complex]: MySpace users have a reason to care about the security of the information they offer up to MySpace that's more compelling than policies and cajoling from the security folks, and it shows."

I agree that this has something to do with it, but I think there's an even more devious incentive at work: the belief that someone will take advantage of your password.

In the case of MySpace, the users probably believe that their accounts are at significant risk. Teenagers are likely to mess with each other's accounts often - they are mischevious and like to mess around with each other's stuff. I remember being online in my younger days, and enjoying messing around with my friends' accounts, sending them fake mail, etc. It was fun to be mischevious, and I know that I wasn't the only one. (Heck, some of the people reading my blog still do it to their friends...) And, if you asked the average MySpace user who would steal their password and what they'd do with it, there's no doubt in my mind that you'd get a list of at least one or two friends or high-school enemies.

But, in the case of corporate accounts, the attitude is completely different. If you asked Mary over in facilities who is out to steal her password, she'd likely tell you that nobody would (or she'd give some vague answer about "hackers"). She simply doesn't believe that there is a credible and tangible threat who wants her password , and so she doesn't worry about it. Furthermore, since the cost of making a hard password is borne entirely by Mary, the lack of a tangible threat makes it a cost without a potential benefit. So, if she's creating a hard password, it's entirely to create work for herself, without seeing any return (because, she thinks, "who would want my password?")

This is the same set of incentives that keep people from locking their screens - it creates a cost for the user, and there's no perception of risk because it's so foreign to think that someone would walk over and sit down at my computer screen unless I'm somehow doing something of general interest.

That was solved at nCircle when I worked there - Cvoid and others had a habit of stopping by anyone's unlocked computer and emailing the entire engineering group an email that said: "I like paste." (or some variant thereof).

Suddenly, every desktop was locked nearly 100% of the time. And, to remind about enforcement, the trend became a continuing one - I'm sure that there's still a paste email sent on occasion over there. And it's the constant potential for threat that keeps people vigilant.

The incentive here isn't as much that the MySpace user cares more about the information than the corporate user - it's that they percieve a clear, present and tangible possibility that someone's actually "out to get them."

Share this post

About the author

Michael Murray

Michael Murray