Rational to Use Poor Passwords?
So claims a Microsoft research paper:
It’s hard to blame users for not being interested in SSL and certiﬁcates when (as far as we can determine) 100% of all certiﬁcate errors seen by users are false positives.
The premise of the paper is that using strong passwords, checking that URLs are not phoney, and reading SSL certificate warnings cost the average user far more in time than what they are, on average, likely to lose. Furthermore, most password attacks are through phishing and key logging, in which strong passwords provide no protection.