Friday, October 14, 2011

Perfection or Paranoia?

Security: How much is too much? 

This question has been an important part of our public dialogue for ten years or more, in the context of screening and surveillance designed to protect us from terrorists.   Perhaps it would be helpful to consider a case study that presents the issues in a different context.  That’s why this post has nothing to do with wiretaps or airports.  Not directly, anyway.
I recently attempted to gain access to a new database.  I won’t identify the database because certain people might not like that.  As you will see, they are very particular…
First I applied to a controlling authority to get a temporary password to access the database for the first time.  Using that, I logged in and was informed that an immediate password change was required.  No problem.  I expected that.  I had a prospective password all ready to go. 
My first password was unacceptable because it wasn’t long enough.  I made it longer. 
My second password was unacceptable because it had too many of the same character.  I eliminated the repetition.
My third password was unacceptable because it didn’t contain enough different types of characters.  I added some unusual ones.
My fourth password was unacceptable because one of the characters was not allowed.
Before I made a fifth attempt to satisfy the Password Lords, I stopped to do some calculating.  This is what I found. 
The password requirements were so complex that they yielded an impossibly high number of potential combinations.  I was able to come up with a number, eventually.  That number was so large that I don’t know its name - and I have taught math.  Now speculate.  How many attempts do you think it might take to solve this puzzle?  How many YEARS do you think it might take a bad guy, working nonstop, to get into this database by guessing at the password?
I could tell you the number, but it would be meaningless to ordinary people.  Too big to grasp.  For clarity, let me put it this way.  Suppose that you have a computer that can check 1,000,000,000,000 (that’s one trillion) combinations per second.  Now suppose that computer began working to guess my password at the end of the last ice age about 12,000 years ago.  Today that computer would be a bit less than halfway through the possibilities.
The information in the database is sensitive, of course.  But let’s just say it’s not protecting nuclear launch codes. 
Now consider this.  The database resides on a secure network which is itself password protected.  The network can only be accessed from physical locations that are themselves secure.  NOW how many years do you think it would take?
It gets better.  The techno-geeks who designed this super-password requirement might benefit by considering the human element in this equation.  The users of this database (and of these super-passwords) are human beings.  And human beings usually don’t have the time or inclination to memorize extraordinary strings of random characters.  So what do at least a few of them do?  They write down the password for reference. 
This is strictly against procedures, of course, but still quite logical.  The users weigh the value of onerous security procedures against the time and effort required to comply.  Considered in terms of efficiency (or inefficiency), the decision may not seem difficult.
The law of unintended consequences is in full effect, and the inevitable conclusion is this:  The requirement for extreme password complexity actually degrades security by compelling users to write down their passwords rather than committing them to memory, creating a risk of loss or compromise.  The database would be safer with a less complex and more easily memorized password. 
Returning to the title question, what do you think?  Does the 24,000-year password requirement indicate perfectionism, or paranoia?  My answer is that paranoia and perfectionism fuel one another, and this password situation demonstrates eloquently how counterproductive that combination can become.
All this is an interesting abstraction, but is it relevant to our national debate about security and individual liberty?  I think so.  I think the lesson is this:
When you try to control the actions of others absolutely, you run the risk of looking foolish,
creating discontent, and undermining your own effort all at the same time.

Or to put it another way, one who is trying to make something completely idiot-proof should not fail to consider the guy in the mirror.
Courtesy www.dilbert.com
Now be safe out there.
Gryphem

No comments:

Post a Comment

Everyone with something to say is welcome to post comments on Gryphem. Keep it positive if you can. Keep it clean and respectful always.