As Prof. Ed Felten at Princeton says in a new post on the “Freedom to Tinker” blog, folks in the computer security field are fond of talking about “best practices” — those established methods that are felt to be most likely to produce good results. He suggests, though, that we should think about “worst practices”, too:
These days, security advisors talk a lot about Best Practices: establishes procedures that are generally held to yield good results. Deploy Best Practices in your organization, the advisors say, and your security will improve. That’s true, as far as it goes, but often we can make more progress by working to eliminate Worst Practices.
He defines a Worst Practice this way: “A Worst Practice is something that most of us do, even though we know it’s a bad idea.”
I think his suggestion has a great deal of merit. Security is a process; and good security is achieved, not by pulling off some brilliant, innovative act, but by not getting things wrong. In fact, to me, system security is a quintessential Loser’s Game. The player who screws up least, wins.
Prof. Felten gives the use of passwords for Web site security as an example. For someone developing a new Web site that needs security, passwords are an easy choice. They are commonly used, so users are already familiar with them, and there is probably canned software that the developer can use, perhaps with a few minor modifications. Thus, passwords are the path of least resistance for the developer. We can also observe that our old friend, the economic externality, is at work here. The developer is not likely to realize any tangible benefit from better security; that benefit will accrue to the users. Using passwords is “good enough”, and what everyone else does. So better security is always a feature to be added “real soon now”. As Prof. Felten says,
The key to addressing Worst Practices is to recognize that they persist for a reason. … There’s typically some kind of collective action problem that sustains a Worst Practice, some kind of Gordian Knot that must be cut before we can eliminate the practice.
There is another Worst Practice that I frequently encountered during my years working in IT in the financial industry. Many auditors and other supervisory bodies “recommend” a rule that login passwords must be changed every X days. I don’t know where or when this idea originated, but no one has ever been able to give me a convincing reason why it should improve security. Users complain about it constantly, and it leads to work-arounds, like the user’s cycling through a list of 3 or 4 passwords for everything, or the “password on a PostIt note” phenomenon. I suspect it persists because no auditor wants to be the first to observe that the emperor is unclothed.
Prof. Felten suggests that getting rid of Worst Practices will require leadership from some of the large technology companies, like Google and Facebook. I think that would certainly help. We also, as always, ensure that the people who are in a position to do something about the problem have the correct incentives.