- Monday, 9 November 2009
- INQ Mobile
- RSS
You call it moving the goal posts -- I call it dynamic e-business
User, you are the weakest link
SPEND ENOUGH time talking to security folks – the ones who design security software or set password policy or read and create the firewall rules – and you get the sense that the computers are fine, it's humans that are the problem. If you've been around the computer industry for a while, this attitude is familiar: everybody hates users.
"For most security folks," says Angela Sasse, "the attitude is still about the risk – security is a chain and users are the weakest link in the chain. It is parallel to the human pilot error debate of the 1980s. If the users is trying to do the right thing and can't figure out what the right thing is, then there's something wrong in the design."
Sasse is that rare thing, a security person who specialises in human factors. She studied psychology in Germany, and then did an MSc in occupational psychology from Sheffield University, and a PhD in computer science at the University of Birmingham.
She worked as a human factors specialist for Philips Corporate Industrial Design in 1990, and started as lecturer in the department of computer science at UCL later that year. She worked on the first generation of multicast systems over Internet Protocols, and that work gave her a connection with British Telecom. And it was that connection that, in 1996, led to her career marrying usability and security.
"It was complete serendipity," she said. "This guy gave a call asking me to look at this usability problem: the cost of help desks that they run for resetting user passwords had been tripling every year for three years." Naturally, BT's accounts department was concerned. "We need to understand what the problem is." Or, as she remembers the problem being phrased, "Why these stupid users can't remember their passwords."
So Sasse put up an online questionnaire and did some interviews. In two days the questionnaire attracted 240 responses – in 1996, when few people were on the Web. "People were writing reams and reams about the problems they had with passwords. They had between 16 and 64 passwords to remember. The policy said there was no reuse.
They had six-digit PINs for voicemail that changed every 30 days." The paper Sasse wrote about the effort, Users Are Not the Enemy (PDF), shows the downward spiral these users were on. "Users didn't understand what the risks were – and even technical people didn't understand how password cracking worked. They were struggling to follow those rules – and then they lose respect for security and the security department makes the rules stricter."
A lot of the problem with security as it's still designed is that for security people "Security is the goal." And, "Security is a chain and users are the weakest link in the chain." This means war… µ
More to come in Part 2
Share this:
ShareBusiness Intelligence Software
Customer Relationship Management (CRM)
Enterprise Accounting Software
Enterprise Resource Planning (ERP)
Enterprise Systems Management
Its about time we take things a step further and start using biometric data to verify a user. Start using cameras, finger prints, Voice prints.
simple passwords will likely never go away but security needs to really change if they expect us to keep our security tighter.
I've heard it all too often, you force a user to change their password too often and they end up writing it down someplace INSECURE.
Code key FOB (keychain thingamajigs) are great until you lose your set of keys.
Going to biometrics (with redundancies ) is the only logical solution to so many of these problems.
@viscountalpha:
Biometrics is a joke. The current implementations are so simple to circumvent (photo of a face, photocopy of fingerprint) that they are nearly useless.
You can change the password if it gets compromised, how do you change your face or fingerprint?
Biometrics have been argued before.
There are 2 sides to security - authentication and authorisation. Biometrics can only be used for the first part, i.e. the username, not the password. Why? Because biometrics do nothing more than identification, it is detection of personal features that are available/detectable/clearly visible/"out there", public knowledge so to speak. As technology progresses, faking this information gets easier. It is not what one would call a "shared secret".
As such, a system that relies solely on biometrics is inherently insecure.
There are multiple articles on this subject.
so, all you security "experts" out there, what is the answer?
How do you authenticate and authorise with normal people in the chain?
Or is the solution computer systems that don't interact with people?
Eliminate the weakest link?
And what about the security implementors, how do you work around their human weaknesses?
Sounds like everyone's time would be better spent searching for the Holy Grail, except that MPFC already found it and made a boffo movie in the process.
As Bruce Schneier described it, there are three ways to authenticate a person: by something you have (e.g. a physical key), something you know (e.g. a password), and something you are (e.g. biometrics). He reckons passwords on their own are no longer enough, and certainly biometrics on their own are not enough, as other commenters have pointed out.
Nowadays the absolute minimum in security, suitable for sensitive things like online banking, is two-factor authentication.
If you want to know more, go read Schneier’s blog.