Wed 17 Jun 2009
Random half-considered theory: the use within the information security field of the term “sensitive data” as a catch-all for anything worth protecting subtly guides us to be evasive, tentative, even secretive about the mere existence of such information and unwilling to discuss openly the risk management strategies appropriate to a given set of data because of the way we interpret, use and think of the word “sensitive” in other contexts. It’s too easy to make the leap from “sensitive data” to “sensitive people” and we are trained to tiptoe around sensitive people. If we switched to using the term “valuable data” we would more easily discuss it in a matter-of-fact manner.
Now see, whenever I see the term “sensitive” in a context like this, the first thing that leaps to my mind is “incriminating,” e.g. a set of double books or insider trading or something.
I get that. In general, I scan the use of “sensitive,” in the context of information security, to mean “oh shit what if this got stolen and someone found out?” I don’t think fear makes a good long-term motivator. Hearing someone say, “I’d rather spend the money to secure this than read about its theft on the front page of the student paper,” may work as a great short-term motivator but long-term fear is something that exhausts rather than bolsters. I want people to see protected/valuable/sensitive/etc. data as something in which they’re investing, not something they should fear.
Just curious, what do you think of Jakob Nielsen’s latest contention:
http://www.useit.com/alertbox/passwords.html
Honestly? It reads to me as someone saying something just to have something to say. In the age of automated password resets, password masking is not what’s at the root of all those massive coronaries in the future of support staff the world over. Neither are reset buttons.
I think the point that password masking leads people to choose weak passwords might hold water except that I can’t think of a single account I’ve set up this decade that doesn’t have some sort of minimum complexity requirement.
My personal philosophy on this is pretty non-standard, though. I think people should come up with one really strong password that they have no trouble remembering and then use it for as long as they want because their chief goal should be to avoid being the lowest hanging fruit in any given bunch and accept that if they, personally, are targeted then their password not timing out isn’t going to be what saves them.