Okay, this isn't strictly speaking about password usability...but
it's an issue that concerns me. It's my belief that this represents
the usability end of the continuum.
My bank (yes, that's right...my *bank*) uses a method that they swear
is extremely difficult to hack (in fact, the switched over to this
system for "enhanced security" purposes): you enter your account
number, press login, and you're taken to a page that has your
password embedded in a graphic (a pretty background picture that you
get to choose) as a graphic...in case that's hard for you to read, it
appears in text below the graphic. typing in that password gives you
full access to all banking capabilities. You can't use anything but
alphanumeric characters in your password; they insist on one number.
Can anyone here see *anything* about this that qualifies as security?
It seems to me that all I have to do is write a check to one
untrustworthy person, get my purse stolen, apply for direct deposit
with an $8./hr clerk with an attitude and I'm hosed.
Katie
At 1:52 PM -0400 9/19/08, mark schraad wrote:
Well, the reality of the stringent password policy issue is that
people will find lazy workarounds unless they are invested in the
liability. Meaning... if it is their credit card that will be used,
they 'may' be concerned and motivated. I did quite a bit of
ethnography on this and collected a gallery of images - sticky notes
under keyboards, behind monitors, etc... the computer equivalent of
putting the car keys in the visor. The company was in the business of
offering a two factor authentication solution so we weren't
particularly interested in solving the specific usability problem of
passwords, but instead worked to solve the overarching problem with a
hardware component. If I can help any further Meredith, just let me
know.
Mark
On Fri, Sep 19, 2008 at 1:38 PM, Meredith Noble
<[EMAIL PROTECTED]> wrote:
When I worked in this field, we used to explain that usability and
security, at the extremes were two opposite ends of a continuum.
Adding to one nearly always compromised the other. I know it is a bit
simplistic, but it works as a quick explaination.
Thanks, Mark. I am quite familiar with the usability-security continuum,
but I'm surprised as how few sites out there have concrete
recommendations on where the best place along the continuum is. I guess
it's still too controversial, but surely someone out there has some
opinions on what the best password policy is, trading off complexity /
"time to hack" and ability for users to remember. Perhaps, as you say,
they're all lurking in Forrester, which, sadly, I don't have access to!
Another person replied to me privately with the following blog post:
> http://www.baekdal.com/articles/usability/password-security-usability/
The author talks about how long it would take a hacker to break certain
passwords. It's easy to calculate how long brute force attacks might
take, but it gets scary when you look at dictionary attacks.
I think my recommendation is going to be a weak-medium-strong entropy
indicator that takes dictionary words into account, plus restricting the
number of attempts the user can make within a time period.
I am EXTREMELY worried about forcing high entropy on people though... so
that's where I start sighing. Sigh.
Meredith
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... [EMAIL PROTECTED]
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help
--
Katie Albers, Senior Director
Web-Based Services
Mary-Margaret Network
Find. Grow. Work. Play.
+1 310 356 7550 (voice)
+1 877 662 3777 x 709
[EMAIL PROTECTED]
http://www.mary-margaret.com
________________________________________________________________
Welcome to the Interaction Design Association (IxDA)!
To post to this list ....... [EMAIL PROTECTED]
Unsubscribe ................ http://www.ixda.org/unsubscribe
List Guidelines ............ http://www.ixda.org/guidelines
List Help .................. http://www.ixda.org/help