I don't have a security fatigue, but I sure have 'privacy fatigue'.<p>I should worry about Google knowing this and that about me, I should worry about the stupid retargeting and the fact that if I do something online, it follows me through the web with banners and "youtube recommendations". And that everything is saved and googlable and everyone can know everything about me.<p>And I used to be worried, but now, I gave up. The assault of the security sucking companies is too high - Facebook and Google has the best engineers and everyone loves their open source code - and it's just way too convenient.<p>Sorry for unrelated ranting.
I think one of the worst things is the sites that think they are being "more secure" by adding extra rules for passwords beyond the typical. If people want to use the same password for everything -- or maybe better, use one password for the really important stuff and another password for everything else -- you really shouldn't try to fight against that be requiring at least one capital letter and at least one number and at least one symbol (or whatever).<p>Another obnoxious thing is sites that, when you change your password, don't let you use one you've used in the last X months.<p>In both these cases, what happens is that you defeat people's attempts to make their passwords adhere to some system they can remember. And then they just says "f*ck it" and do really easy to guess passwords.
"Security Fatigue", or just plain old drowning? I'm a software engineer and I feel like it's impossible to completely secure my hardware. It's a full time professional job to secure a computer, and at some point you just give up and do the best you can, knowing there are probably several holes in your security you aren't even aware of.
Yeah, I definitely reuse passwords for things, and not always strong ones. I do have a certain nihilistic resignation about the whole thing: sure, I can turn on two factor auth with a different automatically generated GUID password I keep in a password manager, but anyone can open up a line of credit anywhere in the country under my name if they know one 9 digit number that isn't really secret and can never be changed.<p>What's the point?
It's unfortunate that "good UX" isn't really considered across <i>all</i> fields which have users. The recommendations to mitigate security fatigue are no different than any sort of user frustration:<p>1. Limit the number of ~~security~~ decisions users need to make;<p>2. Make it simple for users to choose the right ~~security~~ action; and<p>3. Design for consistent decision making whenever possible.
>Security fatigue is defined in the study as a weariness or reluctance to deal with computer security.<p>Can that even be defined if it completely overlaps the umbrella of "people who use computers but are not IT professionals".<p>One of my friend's passwords for everything is expl0r3r and has been for years because his family drove a ford explorer when he was younger.<p>Another buddy's password for everything is "Duncan" ... because his dog is named duncan.<p>Pretty much everybody else I know has their password literally stickied to the side of their monitor or sitting on their desk somewhere.<p>Can "Security Fatigue" really be a thing if the entire world is subject to it?
From an old IT guy, none of this is new ... Scott Adams (of Dilbert) noted it in 1998: <a href="http://dilbert.com/strip/1998-04-06" rel="nofollow">http://dilbert.com/strip/1998-04-06</a><p>That was 18 years ago.<p>Particularly raw for Dilbert: "Squeal like a pig" is from the 1972 movie "Deliverance" and refers to a assault that was one of the most disturbing US mainstream movie scenes of the 1970s.<p>The only real improvement in all that time that I can think of: password managers. I almost said Single Sign On, but that comes with its own security issues.
I'm not really surprised to see this at all. The probem of non-technical users being asked to operate systems in what is a very hostile environment (The Internet) has been evident for a while.<p>My prediction is that this will lead to even more of a rise of walled garden style ecosystems, where this problem is at least partially managed for the user by the owner of the ecosystem.<p>So for example if I use iOS apps for everything I can let them handle authentication for me and use my fingerprint, which is a much much nicer user experience than remembering a load of passwords.<p>Of course that's not great for the open web, but this very much feels like a tragedy of the commons to me, everyone knows better security is needed, but no-one wants to be the body leading the charge as it's a really hard problem to solve.
One of the worst ones is those malicious "your computer has been infected" ads, that web browsers allow to disable to close tab buttons with message box windows and such. Users get frustrated, and give up and call the phone number, pay the $250, etc.<p>It's very hard for me to convince people that:<p>A. More than likely anything you do before you call me, is going to make it worse.<p>B. You can always just shut off your PC.
This seems to be mostly about "having to remember too many passwords":<p>> <i>“Years ago, you had one password to keep up with at work,” she said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”</i><p>So why not switch to using password managers and hardware tokens then?
For the love of all that's holy, my local pizza shop does NOT need a secure password. They don't even store my credit card. I honestly do not care if someone logs in and see's my favorite order.
The phrase "security fatigue" makes me raise an eyebrow. Are these guys implying I <i>should</i> keep track of twenty or thirty passwords, but I just can't keep up?<p>Frankly, if it's not something I use everyday and care about, I can't be bothered to put a strong password in it.
Have end users felt major repercussions from any of the large hacks that have happened in the last five years? I feel like it actually induces <i>positive</i> feedback, at least from some consumer companies. For example sony got hacked and users got (2?) free games. The government got hacked and users got free credit monitoring. I understand such hacks fuel credit card fraud and identity theft, but at least in my small non-tech circle this has been a nonfactor.
Qubes + Whonix + Store-bought Thinkpad with the motherboard/circuitry xrayed and diffed with other 'clean' / non-tampered Thinkpads = Win<p>Bonus points for:<p>- Basic internet hygiene. Clear that history!<p>- Compartmentalization. Don't put all your eggs in one basket!<p>- Low footprint. Don't stand out in the crowd!<p>- Avoid prismware like Windows at all costs!<p>- Blanket encrypt <i>everything</i> no matter how non controversial it is!<p>- Throw out your smartphone! Buy all the old Nokias!<p>- Don't order laptops from Amazon!
This is why Touch ID & iCloud Keychain are such important advancements. It's not enough to make it possible to securely manage passwords. You also have to make it easy.
Is it possible that a startup could come into this space and solve some of this problem?<p>Something between <i>all your passwords are belong to us</i> walled garden touch id scheme and tin foil hat must memorize new 20 char randomized password every 10 months setup....<p>It seems that answers to this problem fall into one extreme or the other, but I would personally use a solution somewhere between the two that gave me peace of mind and was convenient at the same time.<p>This would probably be a password manager type thing / cloud solution? Maybe open source?<p>Some things I'd like to see:
- secure passwords where appropriate: do I need my pinterest account to be <i>super secure</i>?
- 2 factor auth where appropriate: protect my bank accounts, etc.
- tell me when there's been a breach and prompt me to change my password- who can keep track of all the times I need to change my password?
- let me have a rememberable password sometimes- sometimes I need to log into something not on my personal phone / computer etc.
- don't let the nsa spy on me/ my cloud account / make it harder than normal
- maybe integrate with keyfobs / security hardware where appropriate<p>thats some stuff of the top of my head but there are so many little catches in dealing with passwords that I would be happy to pay for a product that helped me manage it in the right way.<p>I wonder if there are others out there that fall into this same middle ground of, secure, private, good-enough?
1password almost completely solved this problem for me. Something like it should become part of the OS. Although I wish the agilebits people all the best...
The silly password rules aren't great, but on the whole I think of the issue more as "account fatigue" (which is sort of mentioned in the opening paragraph and then largely ignored). At work alone, I have:<p>1) A Windows domain account<p>2) A GitHub account<p>3/4) Accounts for two separate project management web apps<p>5) An account for our own web app<p>6) An account for the payroll web app<p>7) An account for the HR performance appraisal web app<p>8) An account to register for on-site flu shots<p>9) An account on a project development VM<p>10) An account for the outsourced IT security training<p>And probably a few more that I forgot because I'm not in front of my password manager right now.<p>It also doesn't help that we have a narrative around "identity theft" that puts virtually all of the burden of a leak on the account holder, even in cases where it was unequivocally the company's security that failed.
Looks like most of the problems these users have can easily be solved by using something like Lastpass.<p>I personally feel like people who are tech-savvy should encourage and teach everyone else to use password managers.
It's not security fatigue, it's just old-fashioned laziness combined with ignorance, compounded by the "on-a-computer" rationale that makes 'normal' people turn their brain off because they treat this box like it's black magic rather than trying to understand it.<p>That they 'have' to use this box for work or recreation, rather than having a curiosity that fuels learning and exploration and therefore better understanding, leads to them feeling like they're at the mercy of the machine, rather than the master of it.