“...says , a lecturer in computer science...”

Interesting omission from that sentence, and interesting to see what’s in its place when you “view source”.

Anyway, back on topic, there’s nothing wrong with writing down passwords, just keep that piece of paper in a safe place, that’s all. You know how to do it with your keys and your credit cards and your cash? Just do the same for your passwords.

This posting is brought to you by the CAPTCHA “TEDDJY”.

After more then 20 years eating drinking, living and working in the computer industry I've come to the same conclusion early Unix gurus already knew for ages.

Computers are not for users.

And that is the cold, hard fact staring us all in the face.

A lot of people should not, have not never ever obtained or otherwise be exposed to such a thing as a silicon based machine. It ruined not only their until then peaceful lives and those concerned with security, privacy and the general advancement of humans as a race. Computer have become an obstacle for many, and that concerns many security and privacy experts. It has run out of hand, misused, abused the industry slaves away for another sickened Industry guided by hedgefunds and other non-productive, cannibalistic entities, like Gordon Brown.

Security, privacy and rigid code regarded as basic standards in the 70's and 80's have now succumbed to the commercial weight of the 'need' and the 'speed' of the masses guided by only a few commercially driven entities. Hence the need for Cobol programmers until to-day.

The performance of electronic devices often more driven by greed then by Moore's 'law' right is already cracking the security grid once deemed safe for even the biggest secret.

Now, lemme see.... where did I left that vSphere v4 CD ? Gonna build myself a nice cloud hashcracker.

Though i like the concept behind your idea, it would be an epic fail, for the simple fact of both VPN and remote desktop / VNC would easily defeat this.

In fact, security designed without consideration for human factors is nothing more than bureaucratic buck-passing. Let's say you have to enter an 8-digit password with at least one special character, a number, and at least one upper and one lower-case letter, change it every 90 days, and your companies' security policy does not allow you to write it down and keep it on your desk. Every part of this system has been optimized except for the human part, which is nearly impossible, but it is ignored because human factors has not made its way into the field of security yet. Its just not in the equation when the product is designed or purchased. The only way it manifests itself would be in the threats or punishment of users who can't or don't conform to the system. Usability is coming late to this space because security tends to be an internal tool, and internal tool tend to suck, because we are paid to use them. The ubiquitousness of this problem suggests that good metrics are not being used to pinpoint security weaknesses. The human element has always been the weakest link in security, and it amazes me that the IT industry is still shrugging their shoulders instead of growing a pair and doing some HFE.

Who is this unnamed lecturer at University College London? If they've published on anything on human factors and security, I would like to read it.

I've long held that security is primarily a human-factors issue, that a good security implementation should be designed to enable the user to get their work done in the most secure manner possible with the least amount of effort required. It sounds like this unnamed lecturer is on the same wavelength.

Password-related security will always be perceived as a barrier.

If I'm using my computer from home, where my Internet Service Provider (ISP) knows I am me, then why can't my ISP vouch for my identity?

By ISP I mean the company that connects me to the Internet, which in my case is the telephone company. In most cases, when I'm working from home, dealing with large companies, I would be happy to have the phone company "tell" whichever site I'm using that "Yes, he really IS who he says he is."

I don't know whether this kind of solution is possible, but wouldn't remove the needs for ID-and-password-based identity verification?

It does bring other issues with it, especially around privacy, so I'd like to see some solid legislation (laws) to protect identity privacy.

-=- Jerome

If only the public sector realized this, lose a few bits of unencrypted data (because some moron sent important data unencrypted, lets face it that's pretty weak) and all of a sudden public sector systems are so locked down you can barely even use the system.

Thats government thinking for you, don't care in the first place, in the second place over-react to the nth degree to prevent being embarrassed again, whilst still not actually protecting vital systems like payments systems.

Shows you what their priorities are, not doing a good job, not doing an efficient job, not doing things securely; but just purely avoiding bad publicity.

Nice.

Fascinating and refreshing point of view on security, gives some bit of hope to the future!

"Machines are only as secure as you make them, and security concerns are ever competing with the human necessity for convenience... More security means less convenience, but a security breach can be the least convenient moment of all."

As true, today, as when Jim Mock wrote it ten years ago.

Are you talking about Microsoft products, which fail on both security and usability?