4

A BBC News article attributes a claim to Jason Tooley, chief revenue officer at Veridium:

Not only would getting rid of passwords improve security, it would also mean IT departments would not have to spend valuable time and money resetting forgotten passwords.

"There is an annual cost of around $200 (£150) per employee associated with using passwords, not including the lost productivity," says Mr Tooley.

"In a large organisation that's a really significant cost."

This seems incredible to me, is there any basis for it?

Moo-Juice
  • 141
  • 4
  • 16
    Has this been set against the cost of *not* using passwords? – Weather Vane Oct 29 '19 at 17:36
  • 17
    You may want to clarify that the statement in the title is a quote from a Mr. Jason Tooley, who is "chief revenue officer at Veridium, which provides a biometric authentication service." He's the one making the claim, and the article is just repeating it. – F1Krazy Oct 29 '19 at 17:49
  • 8
    Microsoft recently stated that frequent password changes are not helping anything. This 2016 statement by the FTC concurs:https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes. NIST is also against regular password changes. – NothingToSeeHere Oct 29 '19 at 19:31
  • 5
    Note that someone at a "biometric authentication service" would have a vested interest in companies dropping passwords for their products. This is Churnalism pure and simple. – The Forest And The Trees Oct 30 '19 at 08:48
  • 7
    To clarify the claim - it's a claim by a promoter at a Biometrics company that would be happy to "encourage" use of their product. It appears to be a claim on the cost of the password reset process, not connected to the previous point on security (so not the cost of system compromises) but doesn't distinguish between IT staff time, or the cost of systems to enable/automate the process. – Baldrickk Oct 30 '19 at 14:32
  • https://phys.org/news/2017-06-customers-passwords-business.html adds some statistics on password retention by users "_"Twenty-one percent of users forget passwords after 2 weeks, and 25 percent forget one password at least once a day," the study found._" although this is looking at customers using many online retail sites, and is not necessarily directly comparable to an account password users will use day in and day out. – Baldrickk Oct 30 '19 at 14:35
  • cont: https://www.securitymagazine.com/articles/89384-study-explores-why-and-how-people-forget-passwords states that "_human memory naturally adapts based on an estimate of how often a password will be needed. Important, frequently used passwords are less likely to be forgotten_" – Baldrickk Oct 30 '19 at 14:38
  • 1
    The word you are looking for is "incredible" (meaning not believable), not "incredulous" (meaning not gullible). – DJClayworth Oct 31 '19 at 14:41
  • @WeatherVane I don't always check this place, and you are quite correct. I wouldnt stress too much – Moo-Juice Nov 01 '19 at 09:37
  • @Moo-Juice I've deleted my OT remark. – Weather Vane Nov 01 '19 at 09:38
  • Suppose that it takes 20 seconds to type in ones password, split between typing in the password itself (and occasionally missing) and the time cost of taking ones mind off the task at hand. Suppose this has to be done 6 times every working day. Given about 180 working days per year, this results in six hours per year just for typing in passwords. If an employee's cost to the employer is $33.33 per hour, which is very low considering cost of benefits, workspace, equipment, overhead, and profits, this easily results in $200 per year. That figure of $200/year is ridiculously low. – David Hammen Nov 02 '19 at 11:29
  • @DavidHammen The claim appears to say it is not counting lost productivity, it is just measuring the cost of password compromise. – IllusiveBrian Nov 02 '19 at 13:35
  • 1
    @Baldrickk "25 percent forget one password at least once a day," I assume that means "On any particular day, 25% will forget at least one password", but it sounds like it's saying "People who forget at least one of their passwords each day make up 25% of the population.". – Acccumulation Dec 03 '19 at 03:09

1 Answers1

-1

The statement that the "annual cost of around $200 (£150) per employee associated with using passwords" is given out of context. It isn't the use of passwords themselves that cost that much, it's the cost of what happens after passwords are compromised and the accounts are broken into.

The article says:

Facebook admitted in April that the passwords of millions of Instagram users had been stored on their systems in a readable format

This practice is inexcusable. There is no need for any organization or software to store passwords in any format whatsoever. Operating systems such as UNIX have known this for over 40 years, and simply do not store passwords.

Instead they use the entered password as the key for encrypting something else, and they store that encrypted value. The password itself exists only in temporary memory and never appears in any file. Other than brute force guessing, it's impossible for anyone, even the owners of the data, to determine the original password from the encrypted value.

The article also says:

People tend to use passwords that are easy to remember and therefore easy to compromise.

The cause of the problem is systems that go to the extremes of allowing trivial passwords or enforcing complicated rules that force people to write down their passwords.

This again is totally avoidable.

XKCD

Microsoft's Windows 10 system for example requires a mixture of digits, upper and lower case, and special characters. The result is of course very difficult to remember, and often ends up on a piece of paper under the keyboard. They do offer a solution though: if one can't remember the password, a secret 4-digit emergency PIN can be used instead. (Read that last statement again and think about it.)

The BBC article isn't saying that passwords are inherently bad, but that there are other methods that aren't as easy to implement badly.

The article itself though is slanted by getting its facts from a representative of a company that sells biometric identification technology (e.g. fingerprints). Their company would benefit greatly from the elimination of text passwords.

Ray Butterworth
  • 3,926
  • 1
  • 23
  • 32
  • 1
    wrong. You need to store passwords, what you should never do is store them in a format that's human readable, or even a format that can be decrypted. – jwenting Dec 02 '19 at 06:05
  • 5
    @jwenting: There's no need to store the password at all. Any modern system stores a value that is the result of a mathematical operation (hash function.) The password is just one of the inputs to the hash function. To check if the user gave the correct password, you repeat the hashing function with the entered password and compare the result to the stored result. The system doesn't store the password itself anywhere at all. – JRE Dec 02 '19 at 12:00
  • 1
    @JRE which is exactly what I mean. You're still storing a representation of the password, but not in any form (hopfully, some hashing algorithms have been found vulnerable) that can lead back to the plaintext version. I know how it works, I've written such code more than once :) – jwenting Dec 02 '19 at 12:42
  • "Read that last statement again and think about it." I'm not sure I should. It makes my brain hurt. – Acccumulation Dec 03 '19 at 03:13
  • 1
    I don't see any proof to your claim that the 200 dollar quote is related to password compromises. While storing passwords in plain text is pretty horrible, that one incident is by no means proof that it costs $200 dollars per person to have passwords compromised. I find it more plausible the intended claim was that the cost of IT, infrastructure, software, and man hours for IT personnel to reset passwords cost 200 dollars per user, and nothing you provided disproves that interpretation of the claim. – dsollen Dec 04 '19 at 22:16
  • @dsollen said "*man hours for IT personnel to reset passwords cost 200 dollars per user*". That might very well be true. But it's not *passwords* themselves that are the problem, it's the ridiculous password *policies* that make it likely that people will need to have their passwords reset that is the problem. – Ray Butterworth Dec 05 '19 at 03:50