Imagine a lock and key. You can picture this mechanism and have probably known how they interact together (at least at a high level) intuitively since before you can remember. The lock protects a physical resource from theft, vandalism, or other tampering by restricting access to anyone without the corresponding key. The weaknesses to the lock and key system are also fairly intuitive. Lock-picking, brute force, key theft or duplication, etc are all ways to bypass this type of security mechanism. Thus it is obvious to basically everyone using a lock and key that in order for the security to be effective they need to take precautions regarding the key. To be safe we avoid unnecessary duplicates, use different keys for different locks, and often use redundant security mechanisms like alarm systems and a police or security patrol.
Information security systems are often compared to the lock and key mechanism because at a high level, they seem to do something similar. A person without your username and password cannot access your online bank account. Someone without a decryption key cannot read an encrypted message. Unfortunately, that very high level and vague analogy is the end of the similarity, and I believe that the comparison is simultaneously too broad and too inaccurate. The benevolent attempt to explain cryptography using familiar terms has only served to confuse most and reduce the effectiveness of information security systems.
The most fundamental problem with the analogy is that physical resources and electronic resources need to be protected for different reasons and in different ways. If your car is stolen you notice immediately because when you try to drive to the supermarket you find that you no longer have a car. If your social security number gets stolen there is a high probability that you won’t know until you are denied a loan at an arbitrary point in the future because someone has maxed out a credit card opened fraudulently in your name. Your options to follow up on physical and electronic theft are also vastly disparate. In the car theft example there are basically two possibilities: you or someone else with a key was careless; or the thief used brute force to take the car. Your next action is to contact the police, they will investigate, and you’ll probably end up buying a new car. In the social security theft example, it could have been you, your bank, your other bank, your landlord, your employer, the government, or no one who was careless. If the odds that your stolen car will be recovered are low, the odds that the source of your social security number leak will be discovered are almost nil. And while buying a new car is expensive and inconvenient, applying for a new social security number is a disaster that won’t solve many of the problems derived from the original theft.
Ultimately, the lock and key analogy puts people in a position where they are less likely to understand the difference between physical and electronic resources and their protection. While this misunderstanding is probably not a direct cause of poor security practices it is a step in the wrong direction and gives vulnerable individuals a false sense of security when it comes to their data. If you have ever met someone who really understands how vulnerable data really is you may have noticed a hint of paranoia. That’s correct: people who know what the risks are and what actions can be taken to mitigate the risks are more scared than the people who do nothing to mitigate risks and store their passwords conveniently on dropbox in a plaintext file named passwords.doc. But who’s fault is it? They still have their “keys” so they must not have been stolen.