Sunday, January 22, 2006

Passwords do not security make

Risks to the Public cites Cingular's allowing customers to avoid having to enter their voicemail password when accessing their voicemail from their own hardware (with the ability to opt-in to this password requirement).

I think Risks is way too harsh on this worthwhile innovation.

The risks are obvious -- to everyone except decision-makers at Cingular.


I don't think it's nearly so clear. Firstly, the necessary privacy for voicemails is a spectrum distribution across users. There are some users whose voicemail needs to be very private. My financial advisor's voicemail message asks me to leave only a callback number. Some people presumably turn voicemail off entirely to prevent sensitive information from being stored in voicemail.

But my sister leaving me a message to call her, my mother reminding me to pick something up at the grocer, these things are not worthy of extreme privacy. In general I cannot think of a voicemail I've ever received that I wouldn't just as soon post to the web in public as an mp3, or even as something Googleable. And I don't think I'm alone in having very modest, or nonexistent, security needs for voicemail.

Security is not simply a "more is better" thing. It is a cost-benefit analysis, a tradeoff. In general, more security is less convenient and introduces failure modalities (forgotten passwords). I'm particularly impressed with Cingular here in introducing an innovation where end users are empowered to determine the appropriate security factors for their individual needs.

The critical factor to consider is not risk, but marginal risk. How much less secure is eliminating a pathetically short password from a relatively secure personal hardware device?

A sober analysis of the marginal risk would lead me to turn off the password for accessing voicemail from my own handset. If the Adversary gets at my cell phone, how much additional pain do I experience if, besides my address book and call history, he also gets at my voicemail? Not much, I suggest.

An additional risk here is that the Adverary might succeed in masquarading as my cell phone device and thereby access my voicemail, whereas with the password in place merely appearing to be my device would be insufficient. But again, if you steal my voicemail, you won't find anything worth stealing.

My expected annoyance of a lifetime of typing in a pointless password is greater than my expected annoyance of having my voicemail hacked because of some marginal risk.

I suspect that for some people, eliminating the voicemail password would actually improve security. Consider the user that re-uses that same PIN for an ATM card, a credit card, or a phone card.

Often we best secure by reserving security for the things truly deserving of security.

0 Comments:

Post a Comment

<< Home