Usability & security: Unlikely bedfellows?
By Mrudula Kodali
With an ever increasing online population - 41 million users in the UK alone source: Internet World Stats - computer security and user authentication have never been more vital. Unusable security is expensive as well as ineffective. According to Password research, two-thirds of users had to reset their passwords/PINs three or more times in the last 2 years. With each password reset estimated at 35 in help desk costs source: Mandylion research labs it’s easy to see how expensive an affair this can be.
Passwords
Passwords are by far the most widely used method of authentication. We’re all having to remember more usernames and passwords by the day. It comes as no surprise then that over half of us use the same password for everything from work to banking to ecommerce, which is known to be poor security practice. More worryingly, 21 of people revealed their passwords in exchange for a bar of chocolate source: Infosecurity Europe! Clearly it’s not all about making systems secure but making them usable too.
Passwords have long been considered insufficient within the security industry. Bill Gates even called for an end to passwords 2 years ago source: CNET news. As that day still seems a long way away, let’s consider what we can do to make the best of a bad bunch.
What you can do
As a website owner, you can make your customers’ lives easier, and your site more secure by adhering to the following guidelines:
- Use e-mail addresses as usernames
Don’t ask site visitors to create separate usernames as this increases the number of items they have to remember. - Allow passphrases rather than just passwords
Passphrases are just like passwords but longer, being entire phrases instead of single words. They’re typically 20-40 characters in length, an example use being Wi-Fi security. A sample passphrase would be ’PASSphrase1234567890’. Phrases provide context and are easier to remember than words in isolation. Passphrases are also harder to crack than passwords.
Helping users remember their passwords
To help your users choose secure passwords that are memorable, try suggesting some of the following tips to them:
- Use a passphrase instead of a password, if the system permits.
- If not, take a phrase and use the first letter of each word to make up a password that’s easy for them to remember but difficult for others to guess. For example the phrase ’my favourite sweet in the world has to be chocolate’ becomes ’mfsitwhtbc’.
- Then replace some of the letters with capital letters and throw in numbers and symbols to increase the password strength. For example use ’1’ or ’!’ for an ’i’, ’4’ or ’@’ for an ’a’ and so on. The above sample password ’mfsitwhtbc’ then turns into ’Mfs!twht6c’, which is much stronger.
Do your users have one password that they use for everything and want to keep it that way? They can have an easy life and be security-conscious. Here’s how: Advise them to append an additional word/number at the end of the universal password to make it longer and more secure. The add-on can be related to the application/site they’re on, so it’s easy to remember and yet unique. Here’s an example - let’s say the universal password is ’password’ which it should never be of course!. The password ’password’ is predictably rated weak by Microsoft’s Password Checker:
For a florist’s site they can turn it into ’p@ssw0rdfl0wers’ for ’passwordflowers’ and for e-mail it can be ’p@ssw0rdem@1l’ for ’passwordemail’, both of which are much more secure than the initial choice and unique to the respective sites. With just a few modifications, the new password ’p@ssw0rdfl0wers’ achieves the best rating by Microsoft’s Password Checker:
Encourage your users to find out how secure their passwords are by checking their password strength on sites like Security Stats, Password Meter and Microsoft’s Password Checker. You can also suggest they check out Get safe online, a site dedicated to helping web users stay safe online.
What’s the future?
Passfaces
Should passwords disappear then what’ll replace them? An alternative is a system called ’passfaces’ that utilises our innate ability to recognise faces with speed and accuracy. Users are required to correctly select their pre-chosen faces from a random set in order to gain access:
Passfaces has already been implemented by a number of websites.
Random number generators
Some online banking customers are being sent chip-and-pin card readers to add a layer of security. A lot of banks and large corporations are using tokens such as random number generators in addition to passwords to increase security:
RSA is a leading provider of tokens for multi-factor authentication.
Biometrics
Another alternative is biometrics where a person’s physical or behavioural characteristics such as fingerprint, iris or voice are used for authentication. Examples include laptops with built-in fingerprint readers and the new biometric passports in the UK.
These approaches aren’t solutions in themselves but will have to consider the human as being central to the whole authentication process in order to succeed.
In a nutshell...
Traditionally, security has been considered more important than usability. In reality, security measures only succeed when users’ needs are taken into consideration. Contrary to popular belief, security and usability can and should go hand in hand. Let’s hope whatever replaces passwords is designed with usability in mind so we don’t have to lose ours!
About the author
This article was written by Mrudula Kodali. Mru’s crazy about usability - so crazy that she works for Webcredible, an industry leading user experience consultancy, helping to make the Internet a better place for everyone. She’s very good at eye tracking and extremely talented at information architecture.
