The true cost of unusable password policies: password use in the wild

HCI research published 10 years ago pointed out that many users cannot cope with the number and complexity of passwords, and resort to insecure workarounds as a consequence. We present a study which re-examined password policies and password practice in the workplace today. 32 staff members in two organisations kept a password diary for 1 week, which produced a sample of 196 passwords. The diary was followed by an interview which covered details of each password, in its context of use. We find that users are in general concerned to maintain security, but that existing security policies are too inflexible to match their capabilities, and the tasks and contexts in which they operate. As a result, these password policies can place demands on users which impact negatively on their productivity and, ultimately, that of the organisation. We conclude that, rather than focussing password policies on maximizing password strength and enforcing frequency alone, policies should be designed using HCI principles to help the user to set an appropriately strong password in a specific context of use

Situating the transient user: overcoming challenges in the design of e-government systems

e-Government systems present new challenges for user involvement in the design process. Existing user-centred and participatory design methodologies were mainly developed for situations where a user is in the workplace. In e-government applications the user population is heterogeneous and numerous; the increasing ubiquity of e-government systems also questions the concept of “the interface”. This paper presents the results of a study of discourses of e-government users in two cases studies of interaction with new information systems in transport, which illuminate usability problems arising from a failure to prioritise users’ needs at all stages. An approach is proposed which accounts for the values as well as the goals of users, appropriating stakeholder analysis and ideas from Soft Systems Methodology while recognising that the routine actions of users in the real world are situated and contingent

Studying Password Use in the Wild: Practical Problems and Possible Solutions

HCI research into usability and security over 10 years has repeatedly found that users are unable to cope when faced with unusable password policies. Yet to show the full impact of these policies, it is necessary to consider the context of use within the organisation. Password requirements which users cannot meet have a cost in terms of impact on users’ primary task and, hence, loss of productivity. Conversely, organisational practices determine the numbers of passwords and the frequency of use. Retrospective accounts, questionnaires, and experimental methods fail to capture the full context of use. We present our experiences from the use of a study which was designed to overcome these shortcomings. We devised a structured diary study of password use followed by detailed debrief interviews. We found that this study effectively elicited participants’ main password uses and brought to light details of the context of use. However, the study did not capture accurate measures of workload or time taken in password use; these are better measured through other methods. Finally, our research leads us to conclude that there are further impacts of passwords in the workplace which can only be fully understood from richer ethnographic methods