Someone could beat you about the head, a technique euphemistically known as "rubber-hose cryptanalysis," to obtain your secrets. It didn't work in Marathon Man, but it can.
Fortunately, that's not a scenario likely to concern most Internet users. But it demonstrates one of several vulnerabilities that come with trying to remember passwords. There's another issue that may be more relevant: Memory doesn't scale. Trying to remember multiple passwords, if they're as complex as they should be, is a recipe for failure.
The difference in security practices between the two groups is striking. The researchers conducted two surveys -- one polling 231 security experts and the other polling 294 Internet users who are not security experts. The latter group was recruited from Amazon's Mechanical Turk crowdsourcing platform.
Among respondents who are not security experts, 42% consider the use of antivirus software to be among the top three things one can do to stay safe online. Only 7% of the security experts polled believe that. Instead, experts prefer keeping software updated. "AV is simple to use, but less effective than installing updates," said one.
When it comes to passwords, only 24% of non-experts polled said they used password managers for at least some of their accounts, compared to 73% of experts. The research paper suggested that non-experts don't trust password management companies. That may not be an entirely unreasonable stance, given the recently reported breach of LastPass. However, experts observed that using a password manager allows people to have passwords that are both strong and unique.
Non-unique passwords present a risk, because attackers will often try passwords they obtain at other websites to find accounts they can hijack. If they're successful, further compromises may follow.
A third point of differentiation between security experts and non-experts is the use of two-factor authentication. Eighty-nine percent of security experts polled said they used two-factor authentication, compared to 69% of non-experts. Some 12% of non-experts said they didn't know whether they use two-factor authentication – which probably means they don't.
Security experts don't always follow their own advice – the report noted that 38% of security experts admitted to clicking on links in email messages from unknown senders, compared to only 12% of non-experts -- so perhaps each group can learn from the other.
The report's major shortcoming, beyond limitations identified in the study, is the absence of data on the results of these security practices. Is it safe if we patch, use a password manager, and employ two-factor authentication? We may think we know, but it's difficult to be certain.
Thomas Claburn has been writing about business and technology since 1996, for publications such as New Architect, PC Computing, InformationWeek, Salon, Wired, and Ziff Davis Smart Business. Before that, he worked in film and television, having earned a not particularly useful ... View Full Bio
We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.
2017 State of IT ReportIn today's technology-driven world, "innovation" has become a basic expectation. IT leaders are tasked with making technical magic, improving customer experience, and boosting the bottom line -- yet often without any increase to the IT budget. How are organizations striking the balance between new initiatives and cost control? Download our report to learn about the biggest challenges and how savvy IT executives are overcoming them.