The recent newsletter - rant, really - about the National Institute of Standards and Technology (NIST) white paper on enterprise password management ('Managing' passwords doesn't make them less unsafe) elicited a number of comments, some not very complimentary.

The general consensus of these comments was that: a) people still use (and will for some time to come) username/password authentication; and b) anything we can do to strengthen those passwords is laudable. I will admit that passwords will be around for some time to come, perhaps forever. After all, I did say they should go the way of the buggy whip and Mark Dixon (Chief Identity Solution Architect in Sun Microsystems' North American Software Practice) quickly found a Web site that still sells them. But I also believe that encouraging people to install stronger password policies can be very counterproductive.

In the field of risk management (which everyone responsible for authentication should become familiar with) there is a concept called “Risk Compensation.” This theory holds that as the perceived risk from an action changes (not, you’ll note, the actual risk – just the perceived risk) people’s behavior changes accordingly. Thus, if you believe a situation is more risky than it had previously been you will take greater care in that situation. Conversely, if you believe the risk has been lessened then you are likely to take a greater risk.

Studies have been done (see Grant and Smiley, "Driver response to anti-lock brakes: a demonstration on behavioral adaptation" from Proceedings, Canadian Multidisciplinary Road Safety Conference VIII, June 14-16, Saskatchewan 1993.) that show that the introduction of anti-lock brakes on automobiles led to people driving faster and following more closely. William Ecenbarger, writing in Smithsonian Magazine recently (“Buckle up and behave”), said: “Humans have an inborn tolerance for risk — meaning that as safety features are added to vehicles and roads, drivers feel less vulnerable and tend to take more chances. The feeling of greater security tempts us to be more reckless. Behavioral scientists call it ‘risk compensation’.”

If we give people the perception that their passwords are now “safer,” or that username/password technology can be made “less risky” we run the higher risk of encouraging behavior (e.g., writing strong passwords on stickies and posting them on the monitor) that, in fact, increases the risk of an account being compromised.

Dave Kearns is a consultant and editor of IdM, the Journal of Identity Management.