“We’re making computer security too hard for the average user,” said Steve Jones, founder of the Association of Internet Researchers. Full Article >>
This article on the use of passwords ran in the local Sunday paper. While the above quote initially had me expecting that the article was going to go on to talk about how the computer industry could find better alternatives to using passwords to secure user accounts, it didn’t.
Instead the author chose to beat up people for being people and doing what people will normally do when required to devise a password—and that is choosing a password that they have some hope of remembering next time it’s needed. And how do you do that? You use names of relatives, sports teams, pets, birthdays—basically anything already occupying some of your brain space.
I’m only 37, and I still have to think twice sometimes about family’s birthdays, and what my PIN number is.
When I read articles like this I’m embarrassed to be a part of this industry. We design systems that are inherently unusable. We then complain about the people using them who are proving, by the evidence cited in this article, that the system is unusable. And then what do we do? Publish articles about how these people aren’t accomodating themselves to the system properly, and give hints and tips like these to “help” them choose passwords:
* It should be at least six characters long with upper and lowercase letters, plus symbols and numbers.
* Avoid names, birthdays, telephone numbers or Social Security numbers.
* Devise an acronym using a nonsense phrase or a sequence you can remember, like a line from a song or the initials and ages of several friends.
* Vary your passwords often.
In other words, take any trick you have for creating and remembering a password and throw it out the window.
Here’s a novel idea - how about we instead design a system that accomodates itself to the people using it, rather than the other way around?
Security Professionals - it’s time to come up with something better than forcing people to frequently devise and remember complex passwords.
Back to Article