The password-reset paradox

Jerry Leichter leichter at lrw.com
Fri Feb 20 14:00:18 EST 2009 

On Feb 19, 2009, at 8:36 AM, Peter Gutmann wrote:

> There are a variety of password cost-estimation surveys floating  
> around that
> put the cost of password resets at $100-200 per user per year,  
> depending on
> which survey you use (Gartner says so, it must be true).
>
>
> You can get OTP tokens as little as $5.  Barely anyone uses them.
>
> Can anyone explain why, if the cost of password resets is so high,  
> banks and
> the like don't want to spend $5 (plus one-off background  
> infrastructure costs
> and whatnot) on a token like this?
>
> (My guess is that the password-reset cost estimates are coming from  
> the same
> place as software and music piracy figures, but I'd still be  
> interested in any
> information anyone can provide).
I suspect some very biased analysis.  For example, people who really  
need their passwords reset regularly will probably lose their tokens  
just as regularly.  The cost of replacing one of those is high - not  
for the token itself, but for the administrative costs, which *must*  
be higher than for a password reset since they include all the work in  
a password reset (properly authenticating user/identifying account  
probably contribute the largest costs), plus all the costs of  
physically obtaining, registering, and distributing a replacement  
token - plus any implied costs due to the delays needed to physically  
deliver the token versus the potential for an instantaneous reset.

I suppose the $100-$200 estimate might make sense for an organization  
that actually does password resets in a secure, carefully managed  
fashion.  Frankly ... I, personally, have never seen such an  
organization.  Password resets these days are mainly automated, with  
authentication and identification based on very weak secondary  
security questions.  Even organizations you'd expect to be secure  
"authenticate" password reset requests based entirely on public  
information (e.g., if you know the name and badge number of an  
employee and the right help desk to call, you can get the password  
reset).  New passwords are typically delivered by unsecured email.   
All too many organizations reset to a fixed, known value.

It's quite true that organizations have found the costs of password  
resets to be too high.  What they've generally done is saved money on  
the reset process itself, pushing the cost out into whatever budgets  
will get hit as by the resulting security breaches.
                                                         -- Jerry

>
> Peter.
>
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list