Usability & security: Unlikely bedfellows?

by Martin Rosenmejer on 1 June 2008

With an ever increasing online population - 41 million users in the UK alone (source: Internet World Stats) - computer security and user authentication have never been more vital. Unusable security is expensive as well as ineffective. According to Password research, two-thirds of users had to reset their passwords/PINs three or more times in the last 2 years. With each password reset estimated at £35 in help desk costs (source: Mandylion research labs) it's easy to see how expensive an affair this can be.

Passwords

Passwords are by far the most widely used method of authentication. We're all having to remember more usernames and passwords by the day. It comes as no surprise then that over half of us use the same password for everything from work to banking to ecommerce, which is known to be poor security practice. More worryingly, 21% of people revealed their passwords in exchange for a bar of chocolate (source: Infosecurity Europe)! Clearly it's not all about making systems secure but making them usable too.

Passwords have long been considered insufficient within the security industry. Bill Gates even called for an end to passwords 2 years ago (source: CNET news). As that day still seems a long way away, let's consider what we can do to make the best of a bad bunch.

What you can do

As a website owner, you can make your customers' lives easier, and your site more secure by adhering to the following guidelines:

Use e-mail addresses as usernames
Don't ask site visitors to create separate usernames as this increases the number of items they have to remember.
Allow passphrases rather than just passwords
Passphrases are just like passwords but longer, being entire phrases instead of single words. They're typically 20-40 characters in length, an example use being Wi-Fi security. A sample passphrase would be 'PASSphrase1234567890'. Phrases provide context and are easier to remember than words in isolation. Passphrases are also harder to crack than passwords.

Helping users remember their passwords

To help your users choose secure passwords that are memorable, try suggesting some of the following tips to them:

  • Use a passphrase instead of a password, if the system permits.
  • If not, take a phrase and use the first letter of each word to make up a password that's easy for them to remember but difficult for others to guess. For example the phrase 'my favourite sweet in the world has to be chocolate' becomes 'mfsitwhtbc'.
  • Then replace some of the letters with capital letters and throw in numbers and symbols to increase the password strength. For example use '1' or '!' for an 'i', '4' or '@' for an 'a' and so on. The above sample password 'mfsitwhtbc' then turns into 'Mfs!twht6c', which is much stronger.

Do your users have one password that they use for everything and want to keep it that way? They can have an easy life and be security-conscious. Here's how: Advise them to append an additional word/number at the end of the universal password to make it longer and more secure. The add-on can be related to the application/site they're on, so it's easy to remember and yet unique.

Here's an example - let's say the universal password is 'password' (which it should never be of course!). The password 'password' is predictably rated weak by Microsoft's Password Checker:

Screenshot from Microsoft's Password Checker showing a weak security rating

For a florist's site they can turn it into 'p@ssw0rdfl0wers' (for 'passwordflowers') and for e-mail it can be 'p@ssw0rdem@1l' (for 'passwordemail'), both of which are much more secure than the initial choice and unique to the respective sites. With just a few modifications, the new password 'p@ssw0rdfl0wers' achieves the best rating by Microsoft's Password Checker:

Screenshot from Microsoft's Password Checker showing the highest security rating

Encourage your users to find out how secure their passwords are by checking their password strength on sites like Password Meter and Microsoft's Password Checker.

You can also suggest they check out Get safe online, a site dedicated to helping web users stay safe online.

What's the future?

Passfaces

Should passwords disappear then what'll replace them? An alternative is a system called 'passfaces' that utilises our innate ability to recognise faces with speed and accuracy. Users are required to correctly select their pre-chosen faces from a random set in order to gain access:

Screenshot from Passface, showing 9 different faces

Passfaces has already been implemented by a number of websites.

Random number generators

Some online banking customers are being sent chip-and-pin card readers to add a layer of security. A lot of banks and large corporations are using tokens such as random number generators in addition to passwords to increase security:

Handheld random number generators

RSA is a leading provider of tokens for multi-factor authentication.

Biometrics

Another alternative is biometrics where a person's physical or behavioural characteristics such as fingerprint, iris or voice are used for authentication. Examples include laptops with built-in fingerprint readers and the new biometric passports in the UK.

These approaches aren't solutions in themselves but will have to consider the human as being central to the whole authentication process in order to succeed.

In a nutshell

Traditionally, security has been considered more important than usability. In reality, security measures only succeed when users' needs are taken into consideration. Contrary to popular belief, security and usability can and should go hand in hand. Let's hope whatever replaces passwords is designed with usability in mind so we don't have to lose ours!

Thank you for your comment. It has been submitted for approval.

Comment Again?

Leave a comment

Please enter your name.
Sorry, this email address is not valid.
Please enter your comment.

Course basket x

Course

Price per place

Add another courseCheckout

Pay now by credit card or later by invoice (invoice payments only possible if all courses are 3+ weeks in advance)