Stop blaming us

Occasionally, I see articles like this.

Hackers don’t, as a rule, need to go to such lengths to crack passwords. That’s because most of us fail to follow good security habits. A recent article on PhysOrg cites a study that found people are the weak link in computer security.

This is silly. People don’t need to “follow good security habits” unless they have “security” somewhere in their title. Security is a means to an end, and not the target. The target is to get the job done (or surf the web, or read your emails).

Saying this is not just silly – it’s also dangerous. When experts say “people are the weakest link in computer security”, they remove all responsibility from the security industry to make security better, and easier, for users. Why work on preventing brute-force attacks on passwords? Instead lets force our users to choose a 10 character password including at least 1 number and 1 letter of each case. Oh, and lets prevent those walking security hazards from saving the password in the browser on their malware infested machines. Yeah, that’ll teach them. The article over at suggests I use e$4WruX7 as a password – a most helpful advice if I ever saw one. Here’s a better suggestion for you Jonathan: have the system lock out for 24 hours after 3 failed tries.That will make guessing a simple 6 digit-only PIN take more than 450 years.

Enough with this.  Users are not the weakest link any more than drivers are the weakest link in driving accidents. Sure, if we remove users (or drivers) from the equation, that solves all our problems. But since we can’t do that, lets focus on making seat belts, and airbags, and warning systems. Or easier (not harder!) password systems, better protected servers and better user interface.

  • SpamIsLame

    While I agree that more needs to be done on the back end of most online service providers, your posting implies that we should just accept that anyone should use a password like “123456″.

    If you’re encouraging that, maybe we should also wear t-shirts that list our banking credentials, or what our email login is.

    I agree that bank (especially a bank) should be able to tell when a user has changed their login location by more than a 1,000 mile radius, but to imply that “passwords are hard, therefore just use the easiest thing you can remember” is basically telling people “let criminals steal all your data.”

    That’s a bit of an odd stance in my opinion.

    Also I hate to break it to you but in most cases drivers *are* the weakest link. Drunk driving has remained at a steady rate, and remains among THE most common causes of driving-related fatalities. Should we just tell them to keep on drinking? It’s hard to stop, apparently.

    SiL / IKS / concerned citizen

  • Aviram

    I don’t think anyone will wear a T-shirt with their login credentials. Saying that implies you think users are intentionally trying to compromise their own security – I don’t think that’s the case.

    The only reason users use “123456″ as a password, is because experts like Jonathan are telling people anything less complicated than e$4WruX7 is a trivial password, and give them an insane list of rules they absolutely need to follow or the world will end. Well, if the only good passwords look like e$4WruX7, then I might as well pick “123456″, because what does it matter – right?

    Let me break you the news about driving: Drivers will ALWAYS be the weakest link. Always. They were the weakest link back when they rode horses and carriages, and they will be the weakest link when we have hovercrafts and civilian spaceships. The solution? Make technology better; much easier than making the whole human race “better”.

  • PersonalAccountability

    If people can’t follow good security practices then they shouldn’t use the technology, or at least accept the consequences. Similar to home users who leave their wireless wide open then complain when they get hacked. you don’t leave you keys in your ignition walk away in a bad area do you?

    Just because people can do things, like use online banking, doesn’t mean they should if they don’t understand the issues involved. Would you blame NASA if somebody tried to fly the space shuttle without knowing how it works?

    If you drive recklessly, because you are lazy or don’t understand the rules of the road, you’re more likely to get in an accident. Who’s fault is that?

    The notion that people should be able to use technology without understanding it is ridiculous. People need to bare the responsibility of their own security instead of counting on others to provide it for them because they are too lazy to have a good password or not click on a viagra email.

  • Kevin fiscus

    I guess I have to say that I disagree with half of the premise of this article. Users all have a responsibility to “follow good security habits” even if security is not part of their job title. Saying otherwise is, in my opinion, somewhat dangerous. In the physical world, the last person to leave an office for the day has the responsibility to lock up and possibly set the alarm. People who work with sensitive paper documents have the responsibility to control their distribution. These are all “good security habits” that people follow on a daily basis.

    In our personal lives, we also follow “good security habits”. When we park our car in the mall parking lot, we lock the door. We do the same when we leave our homes. If we keep a house key hidden outside somewhere for emergencies, we don’t broadcast its location. Again – all good security habits.

    I believe the same applies to the world of computers. When it comes to passwords, we should select something that is somewhat difficult to guess and we should not share our passwords with others.

    That said, I do agree that some of the steps security professionals take to promote security are just plain silly. Requiring users to remember “complex” passwords is dumb. Account lockouts do make even short passwords extremely difficult to brute force. Encouraging longer “pass phrases” like “I really love to play golf” are even better. They are easy to remember, easy to type, difficult to guess and difficult to crack. When combined with account lockout, you have a fairly secure solution however…..

    All of those measures fail if users write their passwords down, share them or use them across multiple systems. For example, if someone sends me a password protected zip file and give me the password that is also used to protect their domain account, I win. Account lockouts mean nothing if I select the correct password in the first try.

    I would thus contend that your point about implementing better controls is entirely valid but, at the same time, users can also be a weak link (thus the success of social engineering). The failure of security professionals is in providing the users with good, simple and actionable information about what they should be doing to promote security and why. I’m not talking about requiring crazy passwords but simple steps like protecting the password they have and being able to recognize and report suspicious activity.

    Just my 2 cents.


  • Mat

    I couldn’t disagree more with the main premise of this article.

    I see what you are getting at, and I agree that end users should not have to concern themselves with the nitty gritty of security architecture itself; but back in the real world I’m afraid that companies who manufacture security products do so for economic and business reasons, not because they want to make the world a better place and take a lead in raising global standards of security.

    Ironically it’s a naive viewpoint typical of a security enthusiast that says the responsibility for pushing higher standards of security lays with the architects themselves; in fact it’s arguably dangerous for the makers of security products to take a lead rather than allowing the market to play its natural role. For example take Norton. Their revenue model in the consumer security software market relies heavily on shielding the user from the basic principles of security and shrouding them the myth that they need protecting by people who ‘understand’ because ‘security is a very complicated thing’ which is best left to the experts. As such they get away with absolute murder.

    No, in the same way that responsible adults have to choose the locks they put on their front doors – in consultation with a security advisor – rather it is best to let people try to grasp an understanding of security. And yes that means your average user. In the long run, there is no substitute for education.