Cormac Herley of Microsoft Research will challenge everything you think you know about password management.

Sara Peters, Senior Editor

September 16, 2014

2 Min Read

We all know the rules. At least eight characters; combination of lowercase, uppercase, numerals, and special characters; different for every account; changed periodically; and never stored in plain text anywhere, not even on a Post-it note. Those are the golden rules for password management we all know, advise, and (probably) follow... but maybe we're wrong.

Over the past few months, the public has been hammered with data breaches, including those that exposed passwords. Security experts have been thrust into the public eye, in newspapers and on television, urging, begging, and warning users to improve their password practices. Yet Cormac Herley, principal researcher at Microsoft Research, says that it's time to stop putting all the responsibility on end users -- time to stop the blaming and shaming. Not only is following the rules too difficult, says Herley, but it isn't even worth the effort.

Herley's recent work on passwords, with Dinei Florencio and Paul C. van Oorschot, includes statements like "a [password] portfolio strategy ruling out weak passwords or password re-use is sub-optimal," and if the IT department doesn't do its job well, "there is no attack scenario where the [user's] extra effort protects the account."

Sound crazy? Want to know how they came to those conclusions? Then don't miss the next episode of Dark Reading Radio, "A Grown-Up Conversation About Passwords," tomorrow, Wednesday, Sept. 17 at 1:00 p.m. ET/10:00 am PT, with our guest, Cormac Herley.

Have questions you want us to ask? Let us know in the comments below. If we can't get to those questions during the audio interview, never fear -- you'll have the chance to ask him questions yourself, during the live chat session happening alongside the broadcast.

Don't miss this chance to challenge all your assumptions about password management. Register now.

About the Author(s)

Sara Peters

Senior Editor

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad of other topics. She authored the 2009 CSI Computer Crime and Security Survey and founded the CSI Working Group on Web Security Research Law -- a collaborative project that investigated the dichotomy between laws regulating software vulnerability disclosure and those regulating Web vulnerability disclosure.


Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights