Earlier this week I had a discussion with a colleague about setting up a Windows XP system so that the dial-up connections dialogs would always show the user name when they launched. During the discussion I mentioned that this was considered poor security practice, since at that point an attacker no longer needs to figure out the user name, just the password.
My co-worker replied that for this specific system, it made sense to have better usability, rather than forcing his users to have to always remember the log-in name.
This got me thinking to the fact that, in pretty much all discussions on securing systems, usability issues get thrown out the door. And this is starting to seem like a big mistake. After all, if users start to feel hostile toward security measures, this will just lead to even more insecure systems.
To me, a very good example of the "users will just have to swallow their medicine" train of thought was illustrated in the Consensus Baseline Security Settings recently released by the US government and several independent security organizations.
Lots of the requirements in this baseline are sure to cause quite a bit of user annoyance and frustration. Under these settings, users run in a very limited area, with almost no ability to modify their systems—you cant even fix the time if it isnt correct. Users also cant add simple software or devices such as new printers.
The requirements for passwords seem reasonable, until you actually have to deal with them. Passwords must be complex (meaning alphanumeric), must be at least eight characters long and must be changed every 90 days. Thats a reasonable time limit, but in my experience it comes quickly. And since long, complex passwords are generally impossible to memorize, this leads to users writing down their passwords and posting them on their monitors, which in itself is a classic security risk.
Many of these requirements will lead to extra calls into company help desks and to general user frustration. Employed adults can easily revert to something like angry teenagers, lashing out against restrictions that they feel are onerous. And when it comes to security, you want your users working with you, not against you.
So what can we do? Security managers and personnel need to consider users when implementing policies. Yes, security is important, but you might get better results if users dont have to swallow it like medicine. And vendors should look to additional ways to make implementing secure systems more user-friendly.
Security is important, but so is user happiness.
Should usability always take a back seat to security? Let me know at firstname.lastname@example.org.