The Security Paradox

By Deane Barker on November 10, 2003

Security D’ohLTs: Bruce Tognazzini gets off of the security profession. He has a good point though: if your security system is too complex, you basically guarantee that your users are going to write passwords down. So the tighter you lock things down, the more often basic security guidelines are going to be violated to make up for it.

“I’ve been watching security people for years as they’ve slowly increased the security of everything they can get their hands on until any idiot can wander in. […]

Only a D’ohLT would come up with a security scheme that is so overly complex that it’s guaranteed people will write down their passwords. And yet, this kind of D’ohLTishness is par for the course with these guys. They are the most clueless profession I know, and they are showing no signs of getting any better.”

The point here is that there’s an upper limit to how complex security can get: the limit of the human attention span. This leads to a funny effect: if you make security more simple to use, it will become more secure because people will use it in the correct way more often.

I’ve always thought that biometrics, like fingerprint scanners, would bring this about. Think about it: if you just had to touch a finger pad to make something work, wouldn’t you be a lot happier and your stuff be a lot more secure?