Security

Don't shame idiots about their idiotically weak passwords

It won't help the situation (*cough* idiot *cough*)

By John Leyden

131 SHARE

Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else.

By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker.

Security specialists should focus less on scaring people and more on human’s “optimism bias” which can be harnessed to make people try harder. Subtle reminders and behavioural priming have been shown in experiments to be a way to get developers to produce more secure code, for example.

The industry would do better to focus on positives, confront stereotypes and prime people to make better security choices. “Don’t spread fear - spread hope,” Dr Barker concluded.

Organisations such as the NCSC are taking these ideas on board by, for example, dropping the traditional advice that passwords should be frequently changed. Frequent changes might sound good on paper but they only encourage the use of weak, easily guessable passwords in practice, hence the problem.

Dr Jessica Barker is an expert in the psychology and sociology of cybersecurity, specialising in cybersecurity awareness, behaviour and culture. She recently co-founded Redacted Firm, a vendor-agnostic security consultancy. She made her remarks during a presentation at the IRISSCERT conference in Dublin, Ireland last week. ®

Sign up to our NewsletterGet IT in your inbox daily

131 Comments

More from The Register

Solid password practice on Capital One's site? Don't bank on it

What's in your wallet? Definitely not a password manager

Password re-use is dangerous, right? So what about stopping it with password-sharing?

If Facebook knows you use the same password on Twitter, both can hassle you to change

Leatherbound analogue password manager: For the hipster who doesn't mind losing everything

Notebook undermines years of good security hygiene with style

Android apps prove a goldmine for dodgy password practices

Bsides SF And password crackers are getting a lot smarter

Twitter: No big deal, but everyone needs to change their password

Biz does a GitHub, downplays security blunder as log file of credentials left unencrypted

Cisco NFV controller is a bit too elastic: It has an empty password bug

Critical patch lands for that, UCS Domain Manager flaw, dirty dozen lesser messes fixed

Windows 10 bundles a briefly vulnerable password manager

Keeper exposed punters to drive-by click-jack pwnage

No, eight characters, some capital letters and numbers is not a good password policy

Western Oz infosec audit report was shocking, but only 'cos it made public

Israel cyber chief's 'pants' analogy for password security deemed, well, 'pants'

Changed often, never shared? Prevailing wisdom suggests otherwise

Only good guys would use an automated GPU-powered password-cracker ... right?

FireEye gives the world GoCrack, a Dockerised hashcat implementation for sysadmins