Posted by
Roblimo
on from the was-it-123456-or-654321? dept.
Cy Guy writes "The NY Times has an article on how users are coping with an overload of passwords. Helpdesk costs related to lost passwords are $340/user/year according to the Gartner Group estimate cited." (Free NYT account required to read.)
Okay, so I forgot a '0'.. $11,900,000... The rest of the math was right...297 1/2 people changing passwords....
jf
Re:Would you trust a closed source program for thi
by
Jburkholder
·
· Score: 2
No. Which is why I said I'd never put a real system account into this, just all my crap webmail passwords that I really couldn't care less if they are compromised.:-)
Re:Would you trust a closed source program for thi
by
Jburkholder
·
· Score: 2
Where did 'great and difficult' enter? Most of these passwords are the same, or variations, based on what the length and other limits. Most of the time its the account name that I have to remember. Some times its the same one I like to use all over, sometimes its my 'quake' handle, some times it one of the dozen or so webmail accounts I have.
I'm not using keep it safe to lock up inner-sanctum passwords, just to have a moderately-secure place to keep track of all these accounts and passwords. I used to have them in a clear-text notepad file, this is a shade better.
Some security paranoids try and have every password different. Others make all their passwords the same. Both end up causing problems. I use a compromise. I have three passwords.
One is a 'high-security' password that I only use in trusted, secure situations. My root password falls into this category. This password NEVER goes over any clear channel, nor is it typed in when anyone is possibly watching.
The next level of password is the medium security password. This is for systems where I care about security, but compromising it wouldn't cause serious problems, the person would just be able to read some personal documents, and perhaps impersonate me.
The final password is the I-don't-give-a-rat's-ass-about-security password. This is for things like slashdot, NYT, and other web services. These are ones where I (or someone else) wants some kind of security, but I don't particularly care if it gets compromised, as the person couldn't do much with it (Oh no, they impersonated me while reading the NYT!).
Each password gets changed with a frequency tied to how important it is. For example, root gets changed every month or so. My regular login gets changed every few months, and I haven't changed the who gives a shit password in over a year.
The upshot is that I never forget my passwords, and I haven't had to ask a sysadmin to change one in years. And none of my accounts have been compromised (yet).
And 90% of all stats are made up by operations managers looking for more budget for helpdesk functions.
And the other 90% are made up by consulting firms looking to court SSO (single-sign-on) product companies......
Let's look at the numbers, shall we? Let's say we work for a company that has 70,000 (I have one in mind) employees that use computer systems and have at least one password.
Let's also assume that the helpdesk function at this company spends a 50/50 ratio on personel and equipment for help desk functions, and the median help desk person gets $40k per year (which is actually high to account for HR costs and benefits).
Lets do some math:
70,000 employees x $340 = $23,800,000
1/2 half of that is $1,190,000. At the median salary of $40k per year, that means that the helpdesk for this company has 297 1/2 people doing nothing but password recovery functions every year. I know for a fact that this is not true.
Now, not having read the article (I refuse to register to news sites), I'm sure that they figure things in such as lost productivity, research time, and so on. But I sincerly doubt that the actual costs are even approaching what Gartner gives.
You should take these things with a grain of salt. Different environments have different costs associated with password management. A large mainframe-based company can handle thousands of users with a very small staff for password functions. A loosly networked company, where everyone has Administrator on his NT box, and 15 servers to log into, will have higher. A large company will have smaller costs per capita than a mid-sized company.
"Keep it Safe" is a freeware program for W32 that does this. I use it at work to keep track of all the mail-lists, web-mail, web-shopping-accounts and stuff like that. Not sure I would ever really put a real system account there tho.
Wish there was a Linux port of this that I could use at home, it is pretty useful.
Don't forget about desktop and laptop passwords, which aren't always easy to circumvent, and often require a call to the manufacturer's tech line and some sort of ID before you can get the magic incantation. Beyond that, you have password-protected applications, Office documents, db accounts, PGP, etc. which all require varying degrees of knowledge and/or hassle to bypass, or are so difficult to bypass that it isn't worth the effort required, thereby making the protected property, real or intellectual, worthless for all intents and purposes.
Then there are PDAs, door lock PINs, secure filing cabinet PINs, ATMs, etc.
The use of password protection has proliferated beyond out ability to manage it and it's not always cheap to bypass the protection.
Slashdot Mirror
>1/2 half of that is $1,190,000.
> um.... (no further commenting needed.)
Okay, so I forgot a '0'.. $11,900,000... The rest of the math was right...297 1/2 people changing passwords....
jf
No. Which is why I said I'd never put a real system account into this, just all my crap webmail passwords that I really couldn't care less if they are compromised. :-)
Where did 'great and difficult' enter? Most of these passwords are the same, or variations, based on what the length and other limits. Most of the time its the account name that I have to remember. Some times its the same one I like to use all over, sometimes its my 'quake' handle, some times it one of the dozen or so webmail accounts I have.
I'm not using keep it safe to lock up inner-sanctum passwords, just to have a moderately-secure place to keep track of all these accounts and passwords. I used to have them in a clear-text notepad file, this is a shade better.
forgot my NYT password--how am i going to read the article now!
/willhelm
This post requires a password to read, and you've forgotten it.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Some security paranoids try and have every password different. Others make all their passwords the same. Both end up causing problems. I use a compromise. I have three passwords.
One is a 'high-security' password that I only use in trusted, secure situations. My root password falls into this category. This password NEVER goes over any clear channel, nor is it typed in when anyone is possibly watching.
The next level of password is the medium security password. This is for systems where I care about security, but compromising it wouldn't cause serious problems, the person would just be able to read some personal documents, and perhaps impersonate me.
The final password is the I-don't-give-a-rat's-ass-about-security password. This is for things like slashdot, NYT, and other web services. These are ones where I (or someone else) wants some kind of security, but I don't particularly care if it gets compromised, as the person couldn't do much with it (Oh no, they impersonated me while reading the NYT!).
Each password gets changed with a frequency tied to how important it is. For example, root gets changed every month or so. My regular login gets changed every few months, and I haven't changed the who gives a shit password in over a year.
The upshot is that I never forget my passwords, and I haven't had to ask a sysadmin to change one in years. And none of my accounts have been compromised (yet).
-Cheetah
And 90% of all stats are made up by operations managers looking for more budget for helpdesk functions.
And the other 90% are made up by consulting firms looking to court SSO (single-sign-on) product companies......
Let's look at the numbers, shall we? Let's say we work for a company that has 70,000 (I have one in mind) employees that use computer systems and have at least one password.
Let's also assume that the helpdesk function at this company spends a 50/50 ratio on personel and equipment for help desk functions, and the median help desk person gets $40k per year (which is actually high to account for HR costs and benefits).
Lets do some math:
70,000 employees x $340 = $23,800,000
1/2 half of that is $1,190,000. At the median salary of $40k per year, that means that the helpdesk for this company has 297 1/2 people doing nothing but password recovery functions every year. I know for a fact that this is not true.
Now, not having read the article (I refuse to register to news sites), I'm sure that they figure things in such as lost productivity, research time, and so on. But I sincerly doubt that the actual costs are even approaching what Gartner gives.
You should take these things with a grain of salt. Different environments have different costs associated with password management. A large mainframe-based company can handle thousands of users with a very small staff for password functions. A loosly networked company, where everyone has Administrator on his NT box, and 15 servers to log into, will have higher. A large company will have smaller costs per capita than a mid-sized company.
jf
Wish there was a Linux port of this that I could use at home, it is pretty useful.
Don't forget about desktop and laptop passwords, which aren't always easy to circumvent, and often require a call to the manufacturer's tech line and some sort of ID before you can get the magic incantation. Beyond that, you have password-protected applications, Office documents, db accounts, PGP, etc. which all require varying degrees of knowledge and/or hassle to bypass, or are so difficult to bypass that it isn't worth the effort required, thereby making the protected property, real or intellectual, worthless for all intents and purposes.
Then there are PDAs, door lock PINs, secure filing cabinet PINs, ATMs, etc.
The use of password protection has proliferated beyond out ability to manage it and it's not always cheap to bypass the protection.
slashdot broke my sig