Bruce Schneier Writes Down Passwords. So Can You
After the conference is over I get some time to talk to security guru Bruce Schneier.
His talk on security was not, what you might imagine, about HTTPS and secure sockets, but rather a much more philosophical talk on the psychology of security. The point Mr. Schneier was making was that there is a difference between actually being secure, and the feeling of secure.
You can be secure when you don’t feel as if you are. And conversely there are times when you think you are secure, but actually you are not—for example the most dangerous part of any holiday journey is the drive to the airport, not the flight in the plane.
But does this differentiation actually matter, or is this simply an exercise is metaphysics?
“It only matters,” he says “if we get it wrong. If we get it right then it is perfect. If we get it wrong we do things like taking off our shoes at airports, or invading countries. We do dumb things. We are afraid to bank on line. Or conversely we get in a car when we are drunk because we think, “it can’t happen to me.”
“There is an enormous cost to society in this. If you think you are less secure than you are then there is an opportunity cost you are missing—you are not doing the things you could do. If you think you are more secure than you are, then you are taking additional risks.”
The advice he gives—and it is applicable to every aspect of risk—is to get as much information as you can, and be aware of your own biases. Not surprisingly Mr. Schneier is a great believer in accurate data and dispassionate interpretation of it.
“So for example, you can read the statistics about crime rates in New York and think ‘that is interesting.” But if your cousin goes there and gets mugged, you are never going to go there. But you need to understand that your decision is based on a story and not on data. If you understand your cognitive biases then you can recognise them—and that has huge value.”
But how should people deal with all of this in the real world, or on line? “Relax,” he says emphatically. Surprisingly for a security professional, he has a very easy-going view on passwords.
“I have some very secure passwords for things that matter—like online banking”, he says. “But then I use the same password for all sorts of sites that don’t matter. People say you shouldn’t use the same password. That is wrong.
And when people say don’t write your password down. Nonsense. Write it down on a little piece of paper and keep it with all the other small bits of paper you value—in your wallet.”
He opens his wallet and pulls out a £20 note. “This has value. Your password has value. As a society we are good at valuing small bits of paper. We have cracked that problem.”
At the end of a day on computer security and cryptography it is encouraging to hear that one of the great security experts of our time keeps his passwords on a piece of paper in a wallet. It makes me feel not so bad about having mine in exactly the same place.