The password-reset paradox

Ian G iang at systemics.com
Sat Feb 21 07:19:01 EST 2009


On 19/2/09 14:36, Peter Gutmann wrote:
> There are a variety of password cost-estimation surveys floating around that
> put the cost of password resets at $100-200 per user per year, depending on
> which survey you use (Gartner says so, it must be true).
>
> You can get OTP tokens as little as $5.  Barely anyone uses them.


The two numbers are not comparable.  One is the business cost to a 
company including all the internal, absorbed costs (see Steve's email), 
while the other is the pricelist of the supplier, without internal 
user-company costs.

If we compared each method using the other's methodology, passwords 
would "list" at $0 per reset, and tokens recoveries would "estimate" at 
$105 to $205, plus shipping.


> Can anyone explain why, if the cost of password resets is so high, banks and
> the like don't want to spend $5 (plus one-off background infrastructure costs
> and whatnot) on a token like this?


It is a typical claim of the smart card & tokens industry that that the 
bulk unit cost of their product is an "important number".  This is 
possibly because the sellers of such product cannot offer the real 
project work because they are too product oriented and/or too small.  So 
they have to sell on somthing, and push "the number."  It is for this 
reason that IBM once ruled the world, they bypassed the whole 
listprice/commodity issue.

As a humourous aside, here's another deceptive sales approach available 
to the token world, the end of "something we know" security, as we know 
it :)

http://www.technologyreview.com/computing/22201/?a=f



iang

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list