Complicated passwords aren't going to solve the computer security problem

Oct 12, 2017

We already know that cybersecurity isn't really working. There was the Equifax hack and the Yahoo hack. There was the whole Russian agents stealing NSA secrets and North Korean hackers stealing U.S. and South Korean war plans thing. The problem seems to be getting worse, and we haven't yet figured out a way to stop the bad guys from getting in.

Even some of the lectures we get after hacks about updating your software and changing your passwords aren't enough. In fact, Stefan Savage, who was just named a MacArthur fellow for his work studying cybersecurity, says no one really knows how effective those strategies are. He talked with Marketplace Tech's Molly Wood about why code alone won't solve our problems. Below is an edited excerpt of their conversation.

Molly Wood: Do we know what are the best ways to protect our data?

Stefan Savage: So one of the things that I think has been really unfortunate in the cybersecurity realm is how much of it is really just a set of received wisdom and art, and very little based on science. All of these things that we tell you are important to do, like have a long password and run antivirus and patch and all this other stuff, don't go to certain sites, don't use file sharing — we actually have no idea how much that helps. And we'd like to actually measure that effect so that we can have guidance based on science about what practices actually lead us to be more secure.

Wood: What do you find are maybe the biggest misconceptions, like you said, for example, the password thing doesn't work. Can you give us some examples of that?

Savage: Well, so with the password one is a fascinating one, because it's deeply ingrained in corporate culture that we are taught we have to have long, complicated passwords and change them frequently. And that one makes a ton of sense on its face. But it turns out that those ideas aren't actually born out by measurement, because when people pick their passwords, they don't actually pick them randomly. And if you tell people, all right, we need you to put numbers in your passwords and they haven't before, then they're going to replace I's with ones and E's with threes. In fact, these rules frequently make us less secure, people pick less good passwords. And my gut is that this is true in quite a few domains. It's very easy for you to fall into a fallacy that's not actually driven by data.

Wood: Level with me, because you used the example of virus, and you said we have antibiotics and we have this and that. But is there a possibility that security and vulnerabilities in security are more like the common cold, something that we may not actually be able to get rid of?

Savage: I would say that it's absolutely the case. In my lifetime, I don't think we will have broadly used general computer systems that are completely secure. I don't think that is a reasonable expectation given what we know about how to engineer computer systems and software. We don't know how to make them that fragile. There's a bunch of things that we can do to make them better. And there are a lot of things that we can do to recover from insecurities and mistakes that we can do better. But there is not going to be a lack of work in the computer security field for a very long time.