|Full size version can be seen here|
Of course, what doesn't get captured in this comic is the fact that the security professional has to consider what the user will ACTUALLY DO in response to requirements. Yes, if we could rely on users to choose truly random strings of words, it'd work great. But in practice, there would be a non-negligible number of users who would choose something like "thisismypassword" or "th1s1smypassw0rd" or "correcthorsebatterystaple".
And while we do have the mechanics to force someone to have a password of so many characters minimum, with so many special characters, uppercase/lowercase etc, we don't have a similar easy way to confirm that random word strings are truly random.
Similarly, we require users to change passwords so often NOT because frequent changing will make much difference if users have very strong private passwords to begin with, but because users tend to pick very weak passwords to begin with, and like to share them with their buddies. We set the standards NOT to what is perfect, but to what will generate the best result, given human nature.
There's a good chance that a lot of people with security backgrounds will jump in to rebut what I've written above, and that's to be expected - there's no universal consensus here on what best practices are. We can debate all day.
But my broader point is: it's not just the recommendations, but the result of the recommendations combined with the user's response, that determines what the "best recommendations" should be. And so you don't make perfect world recommendations, but rather recommendations that take into account the user's response.
There's parallels here to the health/fitness community. The clearest example is the recommendation that we see for 30 minutes of moderate exercise on most days of the week. Many people, especially those who don't really like working out to begin with, assume that this means that 15-30 minutes is optimal for health. But it doesn't say that anywhere in the HHS document. The 30 minutes of moderate activity is recommended because it at least gets people to do something. Again, the recommendations are determined based on what they think people will actually do, not what is best in the real world.
But I wonder here, too, if we don't also see a parallel to the canned running training plans that so many seem to place utter trust in, like the ones set forth in Jack Daniels or Pfitzinger, or (*shudder*) Smartcoach (lots of irony in that name). What if those plans aren't based on what's really best, but instead the assumption that the reader probably won't follow the plan fully? Which means that those who compulsively stick to the plan no matter wreck their training in the process.
And of course, I don't see how any plan could ever be "best" anyway. Too many variables, and there's also the belief that there's one "best workout" or "best plan" -- that's the belief that so often gets us into trouble. It's really just consistency that advances one in running, not strict adherence to a schedule of paces and mileage no matter what.
Interesting thought, huh? Makes me pretty happy that I was never one to buy into one of those preset plans.