[144256] in cryptography@c2.net mail archive
Re: The password-reset paradox
daemon@ATHENA.MIT.EDU (Jerry Leichter)
Fri Feb 20 14:26:53 2009
Cc: cryptography@metzdowd.com
From: Jerry Leichter <leichter@lrw.com>
To: pgut001@cs.auckland.ac.nz (Peter Gutmann)
In-Reply-To: <E1La94b-0005k5-W4@wintermute01.cs.auckland.ac.nz>
Date: Fri, 20 Feb 2009 14:00:18 -0500
On Feb 19, 2009, at 8:36 AM, Peter Gutmann wrote:
> There are a variety of password cost-estimation surveys floating =20
> around that
> put the cost of password resets at $100-200 per user per year, =20
> depending on
> which survey you use (Gartner says so, it must be true).
>
>
> You can get OTP tokens as little as $5. Barely anyone uses them.
>
> Can anyone explain why, if the cost of password resets is so high, =20
> banks and
> the like don't want to spend $5 (plus one-off background =20
> infrastructure costs
> and whatnot) on a token like this?
>
> (My guess is that the password-reset cost estimates are coming from =20=
> the same
> place as software and music piracy figures, but I'd still be =20
> interested in any
> information anyone can provide).
I suspect some very biased analysis. For example, people who really =20
need their passwords reset regularly will probably lose their tokens =20
just as regularly. The cost of replacing one of those is high - not =20
for the token itself, but for the administrative costs, which *must* =20
be higher than for a password reset since they include all the work in =20=
a password reset (properly authenticating user/identifying account =20
probably contribute the largest costs), plus all the costs of =20
physically obtaining, registering, and distributing a replacement =20
token - plus any implied costs due to the delays needed to physically =20=
deliver the token versus the potential for an instantaneous reset.
I suppose the $100-$200 estimate might make sense for an organization =20=
that actually does password resets in a secure, carefully managed =20
fashion. Frankly ... I, personally, have never seen such an =20
organization. Password resets these days are mainly automated, with =20
authentication and identification based on very weak secondary =20
security questions. Even organizations you'd expect to be secure =20
"authenticate" password reset requests based entirely on public =20
information (e.g., if you know the name and badge number of an =20
employee and the right help desk to call, you can get the password =20
reset). New passwords are typically delivered by unsecured email. =20
All too many organizations reset to a fixed, known value.
It's quite true that organizations have found the costs of password =20
resets to be too high. What they've generally done is saved money on =20=
the reset process itself, pushing the cost out into whatever budgets =20
will get hit as by the resulting security breaches.
-- Jerry=10
>
> Peter.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to =
majordomo@metzdowd.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
