Do you use the same password for multiple sites?
Do your eyes glaze over after sites like LinkedIn or Yahoo get massively hacked and, like clockwork, the security wonks come wagging their fingers at you for reusing your passwords?
Do you shrug and say “Hey, it’s not my job to keep those sites from getting turned upside down and shaken by their ankles until all the data tumbles out – it’s theirs!”
If any of that rings a bell, you’re not alone.
Either you need to take a nap, and/or the people who write security warnings need to figure out how to make it all simpler for users, because many of us are suffering from a common malady called security fatigue.
That’s what it’s called in a new study from the National Institute of Standards and Technology (NIST) on what makes computer users feel hopeless and act recklessly.
The study defines security fatigue as “a weariness or reluctance to deal with computer security.”
One of the study research subjects put it this way:
I don’t pay any attention to those things anymore… People get weary from being bombarded by ‘watch out for this or watch out for that.’
Brian Stanton, one of the study’s co-authors and a cognitive psychologist:
The finding that the general public is suffering from security fatigue is important because it has implications in the workplace and in people’s everyday life.
It is critical because so many people bank online, and since health care and other valuable information is being moved to the internet.
If people can’t use security, they are not going to, and then we and our nation won’t be secure.
The study was published this week in IEEE’s IT Professional. It surveyed subjects ranging in age from their 20s to their 60s who come from a diverse mix of suburban and rural areas and who hold a variety of jobs.
The researchers focused on people’s work and home computer use, specifically about online activity, including shopping and banking, computer security, security terminology, and security icons and tools.
Another of the study’s co-authors, computer scientist Mary Theofanos, said the researchers didn’t even have security fatigue in their sights when they set out to do the study. It just oozed out of all those fed-up people, she said:
We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data.
Years ago, you had one password to keep up with at work.
Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.
Indeed. Here’s what it’s done to one study participant quoted by NIST:
I get tired of remembering my username and passwords.
Right about now is when security people will say, “Well, you shouldn’t have to remember your passwords – whether it’s 10 of them or 100! That’s what password managers are for: they’re applications that remember your passwords for you!”
Another study subject:
I never remember the PIN numbers, there are too many things for me to remember. It is frustrating to have to remember this useless information.
Security wonk line: “Password managers can store secure notes, too, so you don’t have to remember PINs, either!”
All you have to do is install a password manager on your mobile devices and desktop. Then when you want to get at, say, your bank’s site to do a little banking from your phone, you just have to start the password manager by pecking at your phone’s teensy tinsy keyboard to input your one very, very strong master password (which, OK, yes, you do have to come up with [here’s how!] and yes, you do have to remember that one), search for the bank’s URL in your password manager’s vault, launch it, then… um… watch as it gives you an error message and fails to log you in, so you launch the bank’s app separately, switch back to your password manager, copy the password, switch back again to the bank app, paste in the bank site password, and presto!
Another slice of your life has dribbled away for the cause of cyber security.
“Umm… NO!!!,” much of the world says to all that, including this tired lab rat:
It also bothers me when I have to go through more additional security measures to access my things, or get locked out of my own account because I forgot as I accidentally typed in my password incorrectly.
The multidisciplinary research team found that the majority of average computer users “felt overwhelmed and bombarded,” got fed up with being on constant alert, having to adopt safe behavior, and trying to understand the nuances of online security issues.
Too many security decisions than they can manage leads to decision fatigue, which leads to security fatigue, which leads to feelings of resignation and loss of control, which in turn lead to just avoiding those decisions entirely.
What fills in that gap: very bad choices – including, for example, using the same password multiple times – impulsive behavior, and ignoring security rules.
Some of the other notions that feed into security fatigue:
- Why would a cyberattacker target me? I’m not important enough for anyone to want my information, and I don’t know anyone who’s ever been hacked.
- Safeguarding data is someone else’s responsibility, be it my bank, an online store or someone with more experience.
- How am I supposed to protect my data when big organizations can’t even do it?
Stanton and Theofanos suggest that to fix this situation, it will take a multidisciplinary team of computer security experts, psychologists, sociologists and anthropologists working together to improve computer security issues, including behavior.
The researchers offered these three ways to ease security fatigue and help users maintain secure online habits and behavior:
- Limit the number of security decisions users need to make
- Make it simple for users to choose the right security action
- Design for consistent decision making whenever possible
Tom
I give classes in computer and internet security to average citizens. Any one who has had a bad virus or fallen for some online scam “usually” takes steps to protect themselves. I gave two classes this week and in both classes I was asked about covering up the camera on laptops. Yes, they can see you, if they want to see you. Most people have no idea what a firewall is or does, or that you can get a virus by visiting a legitimate website (try to explain Java applets to lay people). Most people are aware that clicking on an attachment can load a virus. I may be wrong here but it seems that Gmail removes some attachments for security reasons. Also, most people seem to trust their antivirus program to keep their computer protected, don’t practice “stop, think, connect.”
One more point, they are all shocked to hear that firewalls are probed about once every four minutes.
Bryan
Also, many lay-people are unaware the firewall is powerless to protect them if they click something. Owning an anti-malware license gives rise to the belief that one is bulletproof.
Gmail spam attachments accompany a warning “may contain a virus.” Once an attachment has been scanned it’ll be still visible, but downloading is disallowed.
Art Zamora
“Never give up Never Surrender” should be the Mantra
Bryan
Very much so. Sadly too many users view security as a counterproductive barrier in lieu of a protective one**. This ratio dishearteningly seems to be increasing as well.
** “I just want to get my work done, not waste time with useless passwords!”
heavy sigh.
phoebeann60
The latest trick I’ve found to add to security fatigue is to prohibit auto-filling of username and password fields — i.e., they must be manually entered. This renders password managers impotent and users even more fatigued. You can’t even copy-and-paste your complex 17-character password, you must type it. And my password manager (Roboform) uses a font for the password that makes it impossible to distinguish 1 from l from I, O from 0, etc.
qqq
So far I only encountered a game which didn’t implement Ctrl+V shortcut, but luckily my password manager (KeePass) is able to type password.
On the web I’ve only seen websites that assume you didn’t type your username/password if you (or extension) has pasted it. I just add and remove one symbol but it’s still frustrating.
RichardD
That’s been going on for a long time, and seems to be particularly popular with banks.
Even worse, when someone complains about it, they’re told it’s to *increase* the security of the site, and that the company would “lose their certification” if they removed it.
The marketing drones who post these responses generally assume that the user making the complaint doesn’t know what their talking about, and will go away if the answer sounds technical enough. Which is particularly amusing / frustrating when the user is a well-known and respected security professional! (Eg: Troy Hunt, Paul Moore, etc.)
catlett (@catlett)
When generating complex passwords just keep re-generating until you get a password that doesn’t have characters that COULD be interpreted as different things. Usually just takes me a couple of clicks.
Kurt Schilling
Security fatigue? Yes, many people have become quite tired of all the alerts published by the cybersecurity experts. Just as advertising is driven by fear (OMG I don’t have that thing that makes me sexy, healthly, manly, womanly, rich) the constant bombardment of some entity got hacked, your data and life are in great danger tends to cause the Joe Averageuser to zone out. Ever hear of “crying wolf” or Chicken Little battle cry (The Sky is Falling!)?
Being aware of threats is one thing, doing something about it is entirely different.
Bob
In order to keep life from becoming a pain, some things require a certain amount of effort. Personal computer security is one of them. Password management isn’t difficult – there is plenty of good advice out there for guidance, if you don’t want to use a password manager there are other options – keep them on an encrypted usb stick or write them in a little book and keep it somewhere safe (not next to the computer). How much password fatigue is really ‘can’t be bothered’? Internet security must surely one of the most important issues for anyone that buys and banks online and that must be most people. Reap what you sow.
Wilbur
Part of the problem is that it doesn’t much matter what the users do when the entity hosting the data leaves the key to their database under the door mat. I use a password manager because I don’t trust the government or any business to do the right thing and secure their systems but many people assume somebody on the other end is paying attention. This whole thing has become more “Security Theater” as Bruce Schneier refers to the airport nonsense.
Nicola
This resonates with me! I started using a password manager as soon as I found out such an animal existed. Having just gone and read the article on NIST’s new password rules, there is a lot there that is really great advice. I’d love to see a move away from being restricted to a specific password length, as that is the primary reason I need to keep creating my own passwords rather than letting the password manager generate them.
Trish
I have a good (I think) password system, that follows a sort of pattern I can remember, but gives me a different password for every site. However, it falls down when some sites insist on only 6-8 chars. And our new Virgin wireless router inspired on 6-10 chars, upper, lower, nums and special chars and no more than 3 of reach in a row. In the end we had to leave the password as the one set on the device when it arrived, which I think it’s less secure and shouldn’t be up to them to decide such rules.
catlett (@catlett)
? “… had to leave the password as the one set on the device when it arrived.”
I hope you are joking. You think that is a good idea on a router of all things? You would be better off taping the password to the bottom of your keyboard than leaving it at the default.
Dan Kowalski
Use a password manager. This isn’t difficult AND it keeps you organized with links and any other information in a secure manner. All you need is one decent passphrase as a master password.
qqq
From my experience one isn’t enough.
For example LastPass. You need master password to access the vault, but if you try to access it from a new location then it’ll ask you to confirm your identity through email so now you need 2nd password which is hidden by 1st password.
Offline password managers have similar problem – backup is a must. Storing one on external drive is fine, but you can also store it in a cloud (Google Drive, Dropbox, etc.) which is hidden by at least 1 more password.
catlett (@catlett)
I have been using a highly encrypted password manager for a long time. Never bought into any cloud based password manager either. I don’t find password management to be a big deal at all. The thing that REALLY annoys me is the fake security that almost every online institution prescribes to and that is “security” phrases. These are the exact opposite of security as they are just begging to be social engineered. The problem is that every single institution forces them whether you want them or not so now I not only have to manage passwords. I end up managing all the fake answers I have given to all the forced “security” questions.
Samantha
My security fatigue isn’t with remembering/managing multiple sets of my own credentials, I am just sooo tired with seeing the same old horrible implementation failures by vendors of all shapes and sizes – what’s the point in me maintaining secure passwords if they’re going to be stored in plaintext? or properly managing my own network to discover that there’s hardcoded backdoors in any of the software/hardware that’s running on it? yes, of course users need to keep their credentials secure, but it’s more important for the services and devices we’re using to be secure!! quite frankly I have very little faith left that I can trust ANY service/device to be properly designed and configured to keep any data I give up to it securely