Don't shame idiots about their idiotically weak passwords

It won't help the situation (*cough* idiot *cough*)

By John Leyden


Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else.

By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker.

Security specialists should focus less on scaring people and more on human’s “optimism bias” which can be harnessed to make people try harder. Subtle reminders and behavioural priming have been shown in experiments to be a way to get developers to produce more secure code, for example.

The industry would do better to focus on positives, confront stereotypes and prime people to make better security choices. “Don’t spread fear - spread hope,” Dr Barker concluded.

Organisations such as the NCSC are taking these ideas on board by, for example, dropping the traditional advice that passwords should be frequently changed. Frequent changes might sound good on paper but they only encourage the use of weak, easily guessable passwords in practice, hence the problem.

Dr Jessica Barker is an expert in the psychology and sociology of cybersecurity, specialising in cybersecurity awareness, behaviour and culture. She recently co-founded Redacted Firm, a vendor-agnostic security consultancy. She made her remarks during a presentation at the IRISSCERT conference in Dublin, Ireland last week. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Solid password practice on Capital One's site? Don't bank on it

What's in your wallet? Definitely not a password manager

Boffins bypass password protection with pilfering by phony programs

Google Instant Apps still needs a lot of work on security

Password re-use is dangerous, right? So what about stopping it with password-sharing?

If Facebook knows you use the same password on Twitter, both can hassle you to change

Customers baffled as Citrix forces password changes for document-slinging Sharefile outfit

No reason to panic, apparently: Redoing login details to become a regular thing

Bloke jailed for trying to blow up UK crypto-cash biz after it failed to reset his account password

Would-be bomber thrown in the cooler for six and a half years

Leatherbound analogue password manager: For the hipster who doesn't mind losing everything

Notebook undermines years of good security hygiene with style

Android apps prove a goldmine for dodgy password practices

Bsides SF And password crackers are getting a lot smarter

Twitter: No big deal, but everyone needs to change their password

Biz does a GitHub, downplays security blunder as log file of credentials left unencrypted

Windows 10 bundles a briefly vulnerable password manager

Keeper exposed punters to drive-by click-jack pwnage

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed