Skip Links

Hidden costs of passwords

Passwords aren't free

Security Strategies Alert By M. E. Kabay, Network World
October 18, 2007 12:02 AM ET
Sign up for this newsletter now!

The long view of security strategies for your network.

Network World - Many users who focus on their individual experience and needs rather than on corporate security management think that passwords are free. Indeed, password functions come with our operating systems and much of our software; we don’t have to pay anything extra to buy this form of authentication. However, both common sense and research findings support the view that authenticating identity using passwords is a significant expense for organizations.

The major issue is forgotten passwords. Users who lose track of their passwords may have access to an automated password-resetting process, in which case costs may be modest. For example, it is possible to set up a one-way encrypted database of personal information questions and answers and have the user answer a number of these to authenticate to the system. One example is the M-Tech Identity Management Suite, which provides precisely this functionality (among others) to avoid help-desk involvement in password resets.

Even this process has a modest cost that depends on the cost per minute of salary and extended costs (relating to costs of facilities, supplies, services and their financing) for the forgetful employee’s time. I’ve always been told to estimate extended costs at around 50%, so someone earning $80,000 a year (for 2,000 hours of work) might be costing the employer around $1/minute. You can do the rest of the math.

The cost grows if the help desk gets involved, especially if there’s a lag in responding to the emergency call. In addition to the cost of the help desk personnel’s time (which one can either include or discount as being paid anyway, depending on the point of view), the big cost begins to be the ticking clock as the locked-out user waits for a reply. For the $1/minute employee mentioned above, a five-minute wait twiddling her fingers amounts to $5 of wasted costs - but a half-hour delay is $30. Do you ever have to wait half an hour for a callback from the help desk?

Multiply the lost passwords by the number of employees and the average number of times people forget their passwords and you can see that the costs begin to rise significantly. At some point, tokens and biometrics begin to seem less expensive, comparatively, than they seemed at first glance.

In a 2005 article, Lisa Phifer writes, “According to Burton Group and Gartner studies, password resets represent 30% of all help desk calls. The META Group estimates that each help desk call costs $25.” In a white paper by RSA (makers of cryptographic tokens, remember), the authors claim that for a 1,000-user organization, the total cost of ownership over the first three years is around $673,000 or $673 per user. About 98% of that depressing expense is due to management costs.

Similar calculations are shown in a Cost of Ownership document from RoboForm. The makers of this single-sign-on software estimate cost savings of about $417 per user in the first three years for a 1,000-user organization through reduction of lost-password calls.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Professor of Information Assurance & Statistics in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News