Thursday, August 18, 2011

That XKCD comic.

So there's an xkcd comic that's been making the rounds:

Full size version can be seen here
One of the points is that the recommendations commonly given for strong passwords don't necessarily ensure strong passwords, and that there are other ways to construct passwords that are both easier for the user to implement and harder to crack.  Cue mocking of those who set security requirements for corporate passwords.

Of course, what doesn't get captured in this comic is the fact that the security professional has to consider what the user will ACTUALLY DO in response to requirements.  Yes, if we could rely on users to choose truly random strings of words, it'd work great.  But in practice, there would be a non-negligible number of users who would choose something like "thisismypassword" or "th1s1smypassw0rd" or "correcthorsebatterystaple".

And while we do have the mechanics to force someone to have a password of so many characters minimum, with so many special characters, uppercase/lowercase etc, we don't have a similar easy way to confirm that random word strings are truly random.

Similarly, we require users to change passwords so often NOT because frequent changing will make much difference if users have very strong private passwords to begin with, but because users tend to pick very weak passwords to begin with, and like to share them with their buddies.  We set the standards NOT to what is perfect, but to what will generate the best result, given human nature.

There's a good chance that a lot of people with security backgrounds will jump in to rebut what I've written above, and that's to be expected - there's no universal consensus here on what best practices are.  We can debate all day.

But my broader point is: it's not just the recommendations, but the result of the recommendations combined with the user's response, that determines what the "best recommendations" should be.  And so you don't make perfect world recommendations, but rather recommendations that take into account the user's response.

There's parallels here to the health/fitness community.  The clearest example is the recommendation that we see for 30 minutes of moderate exercise on most days of the week.  Many people, especially those who don't really like working out to begin with, assume that this means that 15-30 minutes is optimal for health.  But it doesn't say that anywhere in the HHS document.  The 30 minutes of moderate activity is recommended because it at least gets people to do something.  Again, the recommendations are determined based on what they think people will actually do, not what is best in the real world.

But I wonder here, too, if we don't also see a parallel to the canned running training plans that so many seem to place utter trust in, like the ones set forth in Jack Daniels or Pfitzinger, or (*shudder*) Smartcoach (lots of irony in that name).  What if those plans aren't based on what's really best, but instead the assumption that the reader probably won't follow the plan fully?  Which means that those who compulsively stick to the plan no matter wreck their training in the process.

And of course, I don't see how any plan could ever be "best" anyway.  Too many variables, and there's also the belief that there's one "best workout" or "best plan" -- that's the belief that so often gets us into trouble.  It's really just consistency that advances one in running, not strict adherence to a schedule of paces and mileage no matter what.

Interesting thought, huh?  Makes me pretty happy that I was never one to buy into one of those preset plans.


  1. Users tend to pick weak passwords because we have to remember about 8,000 of them. I have 6 different work passwords that change at different times. On top of that I have banking, email, voicemail, pin, phone number, social number etc etc. Forcing hard passwords with constant changes just leads to users writing them down and sticking them to their monitor or under their keyboards.

    Your argument is to continue doing the same thing and expecting different results. Which seems a little silly. ;)

  2. Phil - I think that's the definition of insanity, actually. And I've never claimed to be 100% sane. Heck, I run for "fun".

  3. Great analogy. Because so many sites require a login and password, people tend to use the same passwords for multiple sites. All it takes it just person at one of those companies to get a hold of your email address and password, and they can probably login to your various bank accounts, email accounts, etc. I try to vary my passwords, but as you said, then it's hard to remember which password goes with which site. I agree that "canned" training plans should just be guidelines. Listening to your body is best!