Protecting users from themselves “The problem with making things foolproof is that we keep evolving a better class of fool”, as the old saying goes. And nowhere is this more true than in security where breaches remain regular and commonplace despite all the investment that has gone into it. Part of the problem is that we expect users to be experts in security …
Users do not need protecting from themselves; they need protecting from software writers. This includes all users, including security savvy ones.
Example: If the meter reader comes to your house to read your meter, you have to let them in (if your meter is inside!). However, you would probably be with them and watch as they go to the meter, read it and then leave.
Some genius software writer says that when you run a program, you open the door and then let it do anything it wants, anywhere it wants, for as long as it wants. You have no control over what it can do.
The MS options doesn't help either; you get a box that says some program wants to do something that might be bad. ( I can't even choose what is bad; conneting to the internet could cost me a fortune, so I might not want it, but I don't get a choice!). The box doesn't say what the program wants to do, and doesn't even tell me what it is; "more" just tells me "C:\windows\temp\fhsyurv.exe"
If you click yes, the program then does whatever it wants.
"Smartphones" have had this option of granularly setting application permissions (heck, for the masses, Facebook does this too), however that hasn't helped the situation one iota. Why? The software still asks for ALL permissions. What does a racing game want with internet access and contacts? Why does a Facebook game want access to my personal info? All these things are checked as "allowed" by default (because the game says it requires them), and all the user has to do is hit "OK." Therefore, as long as a user can hit "allow," there will still be a problem, and it will be for the same reason people still get infected by "websites" posing as My Computer antivirus scans.
I have a set of passwords that I use (no, I don't recycle them). I am not going to go into detail but I use words from four languages, numerics and (where permitted) symbols. Everything makes sense (because I can't get the hang of "fksje04csw" type passwords). They rank as medium-strong to strong. The sites with these passwords have a little story which describes the password. Crazy stuff, but memorable. I can look at a site and bash out a complicated 12 character password using this method.
Or you can tell me I have to change my passwords every X <period>, then I'd need to start writing passwords down. And when they're no longer safely stored in my head, any hope of security (on my end) vanishes.
Thankfully, for the time being, most sites with forced changes are braindead so I can set my password to "sacrif1ce" (obligatory digit!) and immediately change it back to what it was. ;-)
I'd like to hear if anybody has any evidence to say that forced password changing increases security; for I know my bank in the UK used to do this (NatWest, circa Y2K) and I saw the customer advisors look up their current password from notepads and such several times, and as for my work, in a certain office, the back of a catalogue has a long list of previous computer-generated passwords, each crossed out as a new one is written. These examples, to me, would seem to fall into the category of protecting the user from themself, but then is the user really the problem, or the misconception that getting everybody to regularly change passwords makes everything more secure?
> Part of the problem is that we expect users to be experts in security, when in reality what they want to do is be successful in their job and will hunt out ways to make this happen ..
No we don't, just make a computer that can't be infected by clicking on a URL or opening an email attachment.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
