Monday, February 02, 2009

Information Security and xkcd

I've been saying for years that information security is one of the most over-emphasized and overblown "issues" around today. It's as if the second someone realized "hey, maybe some dishonest person out there might try and steal my information", without any provocation, an entire industry was born out of paranoia.

In playing devil's advocate, even I'm not prepared to say "just because it's out there doesn't mean someone will want to steal it." I think if it's out there, someone eventually will try and steal it. But what I certainly am prepared to say is "just because it's out there doesn't mean it's worth stealing." Apparently today's xkcd agrees with me (read the comic, then look at the alt-text).

The truth is that very few of our secrets are worth stealing. Financial information is probably the one exception for the individual; corporations and governments do of course have secrets that might be worth stealing. A personal email address, though? If you're going to take the time to guess my gmail password, then by all means read my dictionary.com "Word of the Day" emails and Facebook notifications.

The good folks at Google realize this and therefore do not make its users change their passwords if they don't want to. It's a very laissez-faire approach to information security: let the individual apply exactly as much security to his information as he thinks is necessary. It's one that colleges would to well to emulate.

Georgia Tech's policy involves changing your password once every few months, with a mandated arcane combination of different "character classes" (ie, upper-case letters, lower-case letters, numbers, and symbols). But that's where the restrictions end. If I wanted to make my password "abc123!", I certainly could. It's essentially a middle-of-the-road approach, comparable to most corporate systems. And honestly, my password getting hacked could lead to some untoward things going on, including my unwitting withdrawal from school. The one issue I have with the system is that it presumes my password is not good enough the first time around, and I have to keep trying to improve it.

The Georgia Tech School of Mathematics (where I'm currently employed) makes the Institute policy look lax by comparison. In addition to the aforementioned restrictions, the Math password cannot start or end with certain characters, it cannot repeat the same character too many times, and it cannot "resemble a dictionary word" too closely. After a few rounds of my usual passwords getting rejected, I resorted to video game characters, of course augmented with different character classes.

I don't know what dictionary this system is drawing from, but if "Akatosh" really resembles a dictionary word, my vocabulary obviously isn't as strong as I'd like to think it is.

And what would guessing or hacking this password get for you? Emails about Friday bagel breakfasts with Math grad students and access to a handful of computers that I didn't even know existed until I started working for the department.


Currently listening: "A Day in the Life", Mae (covering the Beatles)

1 comment:

Scott said...

Well stated. People get really bent out of shape about security. And the effect is actually less security, not more. If my password is to obscure, I'll have to write it down. Password which are written down are begging to be stolen.