Shostack + Friends Blog Archive


Infosec Incentives for People

So there’s been discussion here recently of how to motivate security professionals to do better on security. I think it’s also worthwhile to look at normal people. And conviniently, Bruce Schneier does so in his Wired column this month, “MySpace Passwords Aren’t So Dumb.” He looks at how MySpace users do in their passwords versus corporate users, and finds MySpace users have better passwords:

On the other hand, the MySpace demographic is pretty young. Another password study (.pdf) in November looked at 200 corporate employee passwords: 20 percent letters only, 78 percent alphanumeric, 2.1 percent with non-alphanumeric characters, and a 7.8-character average length. Better than 15 years ago, but not as good as MySpace users. Kids really are the future.

I’d like to offer up a different reason: MySpace users have a reason to care about the security of the information they offer up to MySpace that’s more compelling than policies and cajoling from the security folks, and it shows. How can we learn from that?

(After I wrote this, I noticed some similar comments on the version on Bruce’s blog.)