Much in computer security involves recommending defensive measures: telling people how they should choose and maintain passwords, manage their computers, and so on. We show that claims that any measure is necessary for security are empirically unfalsifiable. That is, no possible observation contradicts a claim of the form “if you don’t do X you are not secure.” A consequence is that self-correction operates only in one direction. If we are wrong about a measure being sufficient, a successful attack will demonstrate that fact, but if we are wrong about necessity, no possible observation reveals the error. The fact that claims of necessity are easy to make, but impossible to refute, makes waste inevitable and cumulative.
Users are constantly encouraged to choose stronger passwords, but when does it actually make a difference, and how much is enough? We find that offline guessing is less of a factor than commonly thought, even when the password file is stolen. Further, once a password is strong enough to withstand online guessing, increases in strength that fall short of what's needed to withstand offline guessing are wasted. Passwords in this online-offline chasm waste effort since they do too much for online guessing and not enough for offline.
We've all received variants of the Nigerian email scam. A stranger asks for help to rescue a hidden fortune from corrupt officials and wicked in-laws. Who falls for those crazy stories? Who hasn't seen it hundreds of times already? The fabulous tales may be a feature, not a bug. Because of the long odds of finding people who'll go all the way and not back out at some point the scammer needs to identify those who are credulous and who haven't seen it before. "By sending an email that repels all but the most gullible the scammer gets the most promising marks to self-select, and tilts the true to false positive ratio in his favor."
People have been predicting the death of passwords for a long time, and yet we rely on them more than ever. We examine two decades worth of proposed replacements against usability, deployability and security benefits that an ideal scheme might provide. "Not only does no known scheme come close to providing all desired benefits: none even retains the full set of benefits that legacy passwords already provide."
We show that survey-based estimates of cyber-crime losses have systematic biases; errors are cumulative and directional; a single outlier answer can make a 10x difference in the estimate. This doesn't mean that cyber-crime isn't a big deal, but those eye-popping numbers about billions being made by cyber-criminals are junk. WEIS paper and invited NY Times OpEd.