Don't shame idiots about their idiotically weak passwords

It won't help the situation (*cough* idiot *cough*)

By John Leyden

Posted in Security, 27th November 2017 10:57 GMT

Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else.

By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker.

Security specialists should focus less on scaring people and more on human’s “optimism bias” which can be harnessed to make people try harder. Subtle reminders and behavioural priming have been shown in experiments to be a way to get developers to produce more secure code, for example.

The industry would do better to focus on positives, confront stereotypes and prime people to make better security choices. “Don’t spread fear - spread hope,” Dr Barker concluded.

Organisations such as the NCSC are taking these ideas on board by, for example, dropping the traditional advice that passwords should be frequently changed. Frequent changes might sound good on paper but they only encourage the use of weak, easily guessable passwords in practice, hence the problem.

Dr Jessica Barker is an expert in the psychology and sociology of cybersecurity, specialising in cybersecurity awareness, behaviour and culture. She recently co-founded Redacted Firm, a vendor-agnostic security consultancy. She made her remarks during a presentation at the IRISSCERT conference in Dublin, Ireland last week. ®

Sign up to our NewsletterGet IT in your inbox daily


More from The Register

Password re-use is dangerous, right? So what about stopping it with password-sharing?

If Facebook knows you use the same password on Twitter, both can hassle you to change

Android apps prove a goldmine for dodgy password practices

Bsides SF And password crackers are getting a lot smarter

Twitter: No big deal, but everyone needs to change their password

Biz does a GitHub, downplays security blunder as log file of credentials left unencrypted

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed

Windows 10 bundles a briefly vulnerable password manager

Keeper exposed punters to drive-by click-jack pwnage

Great Western Railway warns of great Western password reuse: Brits told to reset logins

1,000 accounts compromised

Only good guys would use an automated GPU-powered password-cracker ... right?

FireEye gives the world GoCrack, a Dockerised hashcat implementation for sysadmins

What most people think it looks like when you change router's admin password, apparently

Whopping 82% have never changed theirs – survey

Azure blues: Active Directory Connect has password reset vuln

Attackers can dive out of the cloud to pwn admin passwords

Pwn goal: Hackers used the username root, password root for botnet control database login

These are not the criminal geniuses you were expecting