# Users are Not the Enemy #### Anne Adams & Martina Angela Sasse, Communications of the ACM, Volume 42 Issue 12, Dec. 1999, Pages 40-46
Brigham Young University
## Takeaways * challenges consensus that users are careless and unmotivated when it comes to system security * users do compromise computer security mechanisms, such as password authentication, but because of security that is poorly implemented or because of their lack of knowledge * security needs user-centered design
## Recommended policies Intended to prevent password cracking * size and character set * frequent changes * single owner Users don't follow these recommendations -- why?
Note, frequent password changes are no longer recommended
--- ## Survey * web questionnaire on password-related behaviors (construction, frequency of use, recall, work practices, memorability) * 139 responses, half from a tech company * analyzed responses using grounded theory --- ## Four major factors affecting effective password usage * remembering multiple passwords -- 50% wrote passwords down * inadequate knowledge of effective password rules * disagreeing with work policies * unaware of security threats ---
It is telling that the only user who made the connection cheerfully revealed that he avoided being tracked by using other users’ passwords for certain transactions, so that “...if there’s any problem, they get it in the neck, not you.”
--- ## Users lack security knowledge * rules for creating secure passwords kept hidden * lack of awareness leads to insecure password practices * confusion between user IDs and passwords
Would this still be the case today?
--- ## User-centered design * reduce burden of multiple passwords * eliminate required password changes
I cannot remember my password, I have to write it down, everyone knows it’s on a post-it in my drawer, so I might as well stick it on the screen and tell everyone who wants to know.
--- ## Motivating users
It is important to challenge the view that users are never motivated to behave in a secure manner. Our results show that the majority of users were security-conscious, as long as they perceive the need for these behaviors, e.g. because of obvious external threats or the perceived sensitivity of the information protected.
## Recommendations * provide help constructing secure passwords, including online feedback * reduce number of passwords users need regularly to 4 or 5 * inform users about threats, detect and challenge users who circumvent security * align security policies with work practices (e.g. sharing information)