AskTog: Interaction Design Solutions for the Real World
Interaction Design Section   Living Section   About Bruce Tognazzini
NN/g Home > AskTog > Columns > Maximum Security Ask Tog, April, 1999

Maximum Security

I hold in my hand a letter from American Scandia, the administrator of one of my 401k accounts, that reads, in part:

For added protection of personal information relating to your annuity, we are issuing you the following Personal Identification Number (PIN): 8614. You will be asked to provide your PIN when you call....In addition, you will be required to furnish us with your PIN each time you request a transfer of funds within your annuity....Please memorize your PIN and keep a copy with your other important annuity documents....

So I have the choice of memorizing yet another four digit number or pawing through my safe deposit box (during regular banking hours only) every time I want to phone this company. Now that’s convenience!

Security in our nation’s computer systems is in trouble, and the fault lies with an education system turning out security people unprepared to build real-world secure systems. As a result, many of our most secure-appearing systems sport all the impenetrability of a slice of Swiss Cheese.

Take American Scandia, for example. What do you think most people receiving the above letter are going to do? Memorize yet another PIN? Not bloody likely. Instead, this new PIN will be added to those already scrawled on the note pad beside the phone or along the edge of their monitors. They may even jot the PIN down in their address book, so they (or anyone finding the address book) can call Scandia from anywhere.

Some security.

This problem arises when security architects, in the absence of an understanding of the habits and capabilities of "real people," design systems that are almost impossible for real people to use. But just as often, you will find systems where the security people have bent over backwards to be helpful, so helpful, in fact, that they are causing just as much mischief.

I joined Traveler's Advantage a couple weeks ago and dutifully typed in my password twice, seeing the little row of asterisks each time echoing the characters. Then I clicked Next. Guess what? On the following screen, they showed me a summary of everything I’d typed in, including my password!

Like most people, I do not use an infinite number of PINs and passwords. I used one PIN for my ATM card only and use one additional PIN for sort of general-purpose PIN-like things. I use one six-character password for a wide variety of non-critical stuff, and one super-duper password with mixed-case letters, numbers, and hieroglyphics for few the really important things. That’s a grand total of four passwords to memorize (and I still have to practice them once a week to keep in form).

When someone shows my password on the screen, even though their service is hardly worthy of a password, they are showing one of only two alpha passwords I use, a password that is my entrance into at least 30 different services! That is a major security breech.

But Traveler's Advantage wasn't through. They then fired off an acknowledgment, via insecure e-mail, that read in part:

Welcome to Travelers Advantage!

Here is your membership information:
Name: Bruce Tognazzini
E-mail Address:
Member Number: 543903427

What is wrong with these people?

What’s wrong is that security people typically have zero training in human factors. They know everything there is to know about networks and operating systems, but human beings? Not even on the radar screen.

Interaction designers must take up the responsibility for supplying that critical half of the security picture that has to do with people, not systems. The good news is that security people will listen to cogent, well presented argument. As long as you well-present it enough times.

Apply the following Guidelines to achieve a balance of appropriate security and usability:

Password expiration makes sense when:

  1. Your primary security risk is a break-in from outside the system.
  2. That break-in is likely to go undetected.

If both those conditions are not true, expiring passwords doesn't make a lot of sense when balanced against the reality that people will be compelled to write the new password down and keep it near the system.

And don’t require weird initial passwords, either. One system I consulted on suffered a 40% failure rate because users were required to type in the word, “TREE,” followed by the user’s social security number with no punctuation, e. g., “TREE123456789”.

“TREE 123456789” (with a space between the word and the number) was rejected, as was “tree 123-45-6789” or any other vaguely familiar construction.

You might argue that it must have been a pretty stupid crowd if 40% of the people just flat gave up trying to get in, given they had been handed a paper with clear instructions. However, this particular crowd was, in fact, pretty clever: fully 80% of them were software engineers.

When you take something familiar, like a common word and a commonly-parsed number, and then require people to enter it in a rigid way that is completely counter to their entire life experience, you will see a major breakdown, no matter how clear the instructions.

Security people must work with people trained and talented in human factors to see that real security—and even privacy—are achieved. This partnership requires both sides to give, for the only way to achieve absolute ease of use is to eliminate security, and the only way to achieve absolute security is to lock everybody out. Follow these guidelines and you will achieve something approaching optimal security, and optimal security, in this insecure world, is the best for which we can possibly hope.

Finally, the words are "Log On," not "Logon." This bit of applied ignorance may win out in the end, but we don't have to help it along.

Oh, and those are not my real passwords. Sorry.

Don't miss the next action-packed column!
Receive a brief notice when new columns are posted by sending a blank email to

return to top

Contact Us:  Bruce Tognazzini
Copyright Bruce Tognazzini.  All Rights Reserved