The Psychology of IT Security Trade-offs

Good article. I agree with the conclusion that the solution isn't to convince people to make better choices, but to change the IT architecture so that it's easier to make better choices.

Posted on November 28, 2012 at 5:55 AM • 13 Comments

Comments

VKNovember 28, 2012 2:53 PM

The article seems to be missing the point of all those security breaches - the problem does not sit between the chair and the monitor, as much as it lies in the Cloud. As such, user psychology is not, and should not be what we focus on.

I don't need a reminder for a stronger bank password - what I need is for my bank to get into the 21st century, and require 2 factor authentication - and secret questions are not it.

And that won't even matter if the system is compromised at the provider's side.

Carl 'SAI' MitchellNovember 28, 2012 3:31 PM

One thing I absolutely hate is password hiding that can't be turned off. Especially on my phone. No one is looking over my shoulder. I use long (5-8 word diceware) passwords for most things, since they're easy to memorize and quite secure. But typing them on a touchscreen when you can't see the letters you've typed is very annoying.

Like VK, I'd also like 2-factor authentication available for more things. Google Authenticator is free, open source/spec, available for corporate use, and easy to use.

Bruce ClementNovember 28, 2012 8:23 PM

@Carl
"One thing I absolutely hate is password hiding that can't be turned off"

I also dislike them. I have this bookmarklet in my firefox toolbar

javascript:var t=document.getElementsByTagName('input');
for (var i=0; i
(Remove linefeeds)

It unhides hidden fields and makes passwords readable on the screen. It's easy to modify for just one field type if you prefer.

As far as I'm concerned, if I'm somewhere that shoulder surfing isn't a serious danger I have every right to read what's about to be sent from my PC,

Unfortunately the Android browser doesn't seem to support bookmarklets yet, but hopefully soon.

Bruce ClementNovember 28, 2012 8:25 PM

Hmmm. Script got truncated.

Try

javascript:var t=document.getElementsByTagName('input');
for (var i=0; i<t.length; i++) if (t[i].type=='hidden'||t[i].type=='password') t[i].type='input'; void 0

vasiliy pupkinNovember 29, 2012 8:07 AM

I guess the point of the article that human element is the weakest link in security because even when human knows what is right to do, behavior is not rational, consequently unpredictable.
Same with math professionals with high expertise in probability. They often make their rather emotional choice when gambling contrary to their scientific background. Then what you could expect from average Joe/Jane.
Pavlov was right: you should reward good behavior (security is not exception) to make it unconditional after some repetition cycles.

paulNovember 29, 2012 9:01 AM

I think that another factor here is learned helplessness. We're supposed to have defense in depth, but instead we have weakest link. So I can spend as much time, effort and money as I want figuring out strong passwords and encryption for my data while it's under my control, only to have it all snarfed from a business by a script kiddie using a 1000th-day exploit.

Should I put in the effort, or should I enjoy looking at some more kittens?

Jakub NarebskiNovember 29, 2012 9:42 AM

> One thing I absolutely hate is password hiding that can't be turned off. Especially on my phone.

Would showing the last letter and hiding the rest be enough / be a good compromise?

B. JohnsonNovember 29, 2012 10:15 AM

I know I've said it here before, and I'll say it here again. It's truly sad that I can have better security on my World of Warcraft account (two-factor) than I can have on my bank account (just password and "site image").

Alan KaminskyNovember 29, 2012 1:36 PM

From the article: "Webber says we should consider shifting fraud liability from credit card companies to consumers in some cases, especially when the consumer failed to take basic steps to prevent fraud."

This is a slippery slope. The credit card companies will just shift all liability for unauthorized use of a credit card to the consumer -- because, as we all know, breaches are due to cracked passwords and everyone uses weak passwords.

benEzraNovember 30, 2012 10:57 AM

> Would showing the last letter and hiding the rest be enough / be a good compromise?

In my experience, no. Reveal-last-letter is what the iPhone does, and it still prevents you from using very long/random passwords unless you have supernatural finger-typing skills or type v-e-e-e-e-e-e-e-r-y slowly. I agree, give me the option; unnecessarily hiding what you type can be a security disincentive.

The worst is where you are trying to enter you home wi-fi password and you can't see what you are typing.


daveDecember 2, 2012 3:15 PM

I have found the following procedure helpful:
1) Type password into login field
2) Cut password - (place into buffer)
3) Enter login
4) Paste password into password field

AnonymouseDecember 6, 2012 2:07 PM

Agree with those who say the problem is architecture. I would go one step further and say it's because nobody is using any consistent security policies. As a 20+ year IT veteran, I know and espouse security. However, after about a decade of struggling with needing passwords for upwards of 30 different systems between work and home, this database has a 30-day password lifetime, that database has a 60-day password lifetime, this system requires uppercase and punctuation, that system disallows all punctuation, this system requires passwords to be no more than 8 characters, that system requires passwords to be 8 - 20 characters, I've just about given up. My partner is always on my case for forgetting passwords on various systems and using insecure things like appending a number to the end that gets rotated each cycle. I know that's very bad security behavior, but it's exceedingly frustrating that all the sites that I need to use make it so freakingly difficult to be a good IT citizen!

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..