Don't shame idiots about their idiotically weak passwords

It won't help the situation (*cough* idiot *cough*)

By John Leyden

Posted in Security, 27th November 2017 10:57 GMT

Attempting to scare people by telling them their password choices are stupid or easily guessable is counterproductive: because it serves only to reassure them that they are just like everyone else.

By saying users are stupid, you perpetuate a stereotype that people are the problem, according to Dr Jessica Barker.

Security specialists should focus less on scaring people and more on human’s “optimism bias” which can be harnessed to make people try harder. Subtle reminders and behavioural priming have been shown in experiments to be a way to get developers to produce more secure code, for example.

The industry would do better to focus on positives, confront stereotypes and prime people to make better security choices. “Don’t spread fear - spread hope,” Dr Barker concluded.

Organisations such as the NCSC are taking these ideas on board by, for example, dropping the traditional advice that passwords should be frequently changed. Frequent changes might sound good on paper but they only encourage the use of weak, easily guessable passwords in practice, hence the problem.

Dr Jessica Barker is an expert in the psychology and sociology of cybersecurity, specialising in cybersecurity awareness, behaviour and culture. She recently co-founded Redacted Firm, a vendor-agnostic security consultancy. She made her remarks during a presentation at the IRISSCERT conference in Dublin, Ireland last week. ®

Sign up to our NewsletterGet IT in your inbox daily

131 Comments

More from The Register

Windows 10 bundles a briefly vulnerable password manager

Keeper exposed punters to drive-by click-jack pwnage

Only good guys would use an automated GPU-powered password-cracker ... right?

FireEye gives the world GoCrack, a Dockerised hashcat implementation for sysadmins

Azure blues: Active Directory Connect has password reset vuln

Attackers can dive out of the cloud to pwn admin passwords

Lenovo's craptastic fingerprint scanner has a hardcoded password

ThinkPad owners need to update their software – unless they're using Windows 10

Stop us if you've heard this one: Apple's password protection in macOS can be thwarted

Developers (again) find preferences hole (again) that bypasses login box (again)

Coinhive hacked via old password to move manic miners' Monero into miscreants' pockets

Credential leaked from Kickstarter hack used to hijack Cloudflare DNS

As Apple fixes macOS root password hole, here's what went wrong

Code dive While you patch your Mac, take a look at what upset the Apple cart this week

Pro tip: You can log into macOS High Sierra as root with no password

Updated Apple, this is Windows 95 bad – but there is a workaround to kill the bug

How did someone hijack your Gmail? Phishing, keylogger or password reuse, we're guessing

If you run a website with user accounts, take a look at this research, ta

Braking news: AA password reset email cockup crashes servers

Motoring monolith stalls as punters slam into website