
Users Rationally Rejecting Security Advice (2009) - anacleto
https://www.schneier.com/blog/archives/2009/11/users_rationall.html
======
ghshephard
I like the approach they take in Singapore - take the default posture that
users will probably not be security aware and will also reject your advice.

Want to do login to your bank account? 100% required that you have an two-
factor SMS token in addition to your user ID and password.

Want to do bill pay to a new-payer? Not only do you need to have your two-
factor SMS token to first login, and then make the payment, you also need the
_physical_ token they sent you to do a crypto-sign of the bill payer account
information before you can add the new bill-payer.

Coming from the United States, I'm blown away how much more secure (and
convenient - Love bank-bank transfers, haven't used a paper cheque in 2+
years) banking is in Singapore. Probably suggests why paypal probably took off
faster in the USA then here as well.

~~~
currysausage
_> Want to do login to your bank account? 100% required that you have an two-
factor SMS token in addition to your user ID and password._

Still leaves the user open to MITM, viruses, and SMS interception. You should
take a look at chipTAN [1] [2]. The user has to confirm account number and
transfer amount on a little device before the crypto chip on the debit card
generates a TAN that is valid only for this specific transaction.

I'm not a great fan of German IT (often unimaginative and slow-moving; e.g.
none of the major German e-mail providers offer any form of 2FA), but this
chipTAN thing is pretty fascinating from a crypto standpoint.

[1]
[https://en.wikipedia.org/wiki/Transaction_authentication_num...](https://en.wikipedia.org/wiki/Transaction_authentication_number#chipTAN_.2F_cardTAN)

[2]
[https://www.youtube.com/watch?v=LAjLXxrqqK8&t=1m9s](https://www.youtube.com/watch?v=LAjLXxrqqK8&t=1m9s)

~~~
ghshephard
Yes - the Singapore system uses an offline "signing" physical dongle, in which
you enter the account that you would like to use, click "sign", and then enter
that information into the website, when you wish to add a new payee.

The thing is - once you get used to this system, the "cost" faced by the user
goes away. I type in a 2FA a dozen times a day when logging in, and the
overhead (wait 3 seconds, type in a 6 digit number in 3 seconds) - is really
pretty insignificant.

~~~
dublinben
Typing a 2FA code a dozen times a day is a pretty significant cost. You might
be used to it, but from someone who does this at most once a day, I find it
burdensome.

~~~
reagency
Why would you type a 2FA code when you have bluetooth?

~~~
dublinben
Why would you trust Bluetooth for anything security related?

------
cantrevealname
Applied to a _population_ , the argument makes sense:

100 million users spent 1 minute/day verifying URLs --> cost of $33M of lost
productivity (assume wage of $20/h) --> avoids 10,000 successful phishing
attacks (.01% of population) --> saves $500K (each victim loses $500) --> not
worth following security advice (since $33M is far greater than $500K)

Applied at an _individual_ level, the argument makes less sense:

1 user (i.e., me) spends 1 minute/day verifying URLs --> cost of $0.33 of lost
productivity --> avoid .01% chance of phishing attack --> avoid .01% chance of
loss of $500 --> but in the event I do get phished, my loss is $500 + WEEKS of
hassle with banks, credit reporting agencies, etc, to clean up the mess!

This is like the antibiotics trade-off. We don't want the population to
overuse antibiotics to avoid building resistance in the _population_. But if
_I 'm_ sick, and there's only a 10% chance that the antibiotic is useful (and
90% chance that my illness is viral and therefore the antibiotic is useless
but otherwise harmless), then it's still in my _individual_ interest to take
it.

~~~
Domenic_S
Interesting logic but bad conclusion -- why didn't you do the final
calculation?!?!

1 minute/day verifying URLs --> cost of $0.33 of lost productivity --> avoid
.01% chance of phishing attack --> avoid .01% chance of loss of $500 -->
_avoid a loss of $0.05_

With these numbers, it never makes sense to verify URLs ($0.33 > $0.05).

> _my loss is $500 + WEEKS of hassle with banks, credit reporting agencies,
> etc, to clean up the mess!_

This is the rub IMO.. if it costs you $2,000 in time/lost wages/whatever to
work through fixing it, it still only costs $0.25 total/day, ie still not
worth it. If it costs $3,000, then it's worth it.

> _This is like the antibiotics trade-off._

Not really - you saw "population" and made the connection, but it isn't there.
In the antibiotics situation, there's a common resource - antibiotic
effectiveness - that is slowly depleted as a member of the population
partakes. It's in the population's interest to maintain the resource, and in
the individual's interest to deplete it. This is called Tragedy of the Commons
[0].

For security though there is no analogous common resource; my security
practices as a user and yours aren't connected in that way. It's everyone for
themselves.

[0]
[https://en.wikipedia.org/wiki/Tragedy_of_the_commons](https://en.wikipedia.org/wiki/Tragedy_of_the_commons)

------
danibx
I treat password strength relative to the importance I give the service I'm
using. If it is something I care about I will use a 8-12 character password
with a few uppercase letters and digits. If it is something I don't care
about, but requires an account, "1234" should be enough.

I have even given up on registering on a few sites because they required a
safe password. This is getting even more common to me with mobile apps. Typing
long passwords on a small tocuh screen keyboard is difficult.

~~~
bargl
Troy Hunt comments on this. If it's a non-important site that shares a
password with another important site that is an attack vector (I'm sure you
aren't doing this but many users do). So if you stick to all non-important
sites get weak passwords you'll probably be fine you just have to make sure
there is no attack vector to another site of more importance.

I.E. If one of them has the last 4 digits of your credit card then they can
call customer service at another more important site and get more information
building to a full scale attack. It could happen in a similar way to what
happened to Mat Honan [http://www.wired.com/2012/08/apple-amazon-mat-honan-
hacking/](http://www.wired.com/2012/08/apple-amazon-mat-honan-hacking/)

However, that example leads to what the article is talking about. If it's a
low probability then users figure the risk is worth it.

~~~
IceSt0rm
Lastpass and it seems to work well. Have it generate a strong 12 character
password with uppercase, lowercase, special characters and numbers (depending
on the restrictions of the application). Secure it with a strong master
password and change the master password on a regular basis.

That said, if someone guesses your master password, then you are in trouble.

------
DanielBMarkham
It's worse than that. Since modern systems are multi-layered and many of the
layers are not even administered by the user, even users that followed advice
given are vulnerable to loss, so for folks trying to make an economic trade-
off in terms of time and hassle, it's all just a crap shoot. Do some stuff
that you feel might be reasonable, like install Norton or something, come up
with a password that includes both your name and your ssn, then wear gloves
when you click on pron sites.

It's really quite ludicrous the situation we put the average user in. There
are folks who spend hundreds of hours worrying about security and still get
taken to the cleaners. What chance does Joe Sixpack really have?

------
api
"Looking at various examples of security advice we find that the advice is
complex and growing, but the benefit is largely speculative or moot. For
example, much of the advice concerning passwords is outdated and does little
to address actual threats, and fully 100% of certificate error warnings appear
to be false positives."

I've thought the same about highly restrictive network firewalls for years.
Most threats today are 'pulled' in via http, e-mail, software update feeds,
etc., or entry is made via phishing or social engineering. Highly restrictive
firewalls don't do anything about any of that, and they impose significant
inconvenience. Your firewall is security theater.

Part of the problem with security is that it's a gut feeling, unsupported
"expert" opinion, and tech-folklore driven discipline. At worst it's cargo-
cultish and almost superstitious.

For one example consider the extremely common -- and utterly dumb -- belief
among many that NAT improves security. It's a superstition. How? What threats
does it mitigate that can't be mitigated otherwise? Get concrete, give
examples, show data. Nope.

~~~
Spooky23
NAT is generally paired with a firewall.

Tell me how you would ship a device for $20 that will support an arbitrary
number of IP devices behind the firewall on virtually any ISP scenario out of
the box with zero or minimal installation?

NAT itself doesn't create security, but it brings a standard use case that is
easy to secure.

~~~
api
NAT is for stretching IPv4. That's it.

As far as security goes, firewalls don't require it. Not only that, but I
share the admittedly minority opinion that firewalls are a crutch for bad
system security and that we should be working to fix that problem. A system
that requires a firewall to be secure is broken.

------
fluidcruft
I think that rationally it's likely even worse now (since 2009) in the sense
that these massive data breaches keep happening and it has absolutely nothing
to do with our own personal security behavior. It doesn't matter how careful
we are with our security, it's going into the hands of the baddies anyway if
they want it.

------
zyxley
As someone who uses 1Password for everything, the one thing that bothers me
most is when passwords are limited to specific characters or to painfully
short lengths. What the heck?

~~~
ekimekim
I always find it ironic when my randomly generated string doesn't meet their
"security" requirements.

------
Nash921
That's a weird treatment of rationality.

If users reject security advice because they studied the costs and benefits,
and found it unprofitable given the risks, then that's rational.

But if users reject security advice because "oh God it's too hard and it's
probably not too bad anyway I have nothing to hide, right?", that's not
rational. That's ignoring the problem and coincidentally getting the right
answer.

It's like concluding users are rational for refraining from buying a lottery
ticket. It turns out, though, the users didn't actually do any math, and were
just too lazy to get up that morning.

------
istvan__
Instead of giving them an advice, we who understand how it works should make
these things defaults and not let them exposed. What can the users do in a
world where banks are asking you to read the CC details loudly in a phone
conversation and give them all the details over the phone. Next thing is that
there is a fake call from a criminal organization pretending to be the bank.
How would a user detect that it is fake? I think security should be about
rules and enforced practices rather than advices that they can happily ignore.

~~~
Anderkent
> Instead of giving them an advice, we who understand how it works should make
> these things defaults and not let them exposed.

This is missing the point. The article states the security advice is _actively
harmful_ , in that applying it is more costly than the expected returns
warrant. Just enforcing those costs on users doesn't help.

~~~
istvan__
Yes I was just pointing out that not only the advice giving part is bad but
also the practices that even banks follow today are harmful.

------
ccvannorman
As a user I go through several security hoops per day, and I'm damned tired of
it.. So many errors all the time..

 _stuffs money in mattress_

 _stuffs facebook profile in there too (printout)_

------
recursive
I see roughly 1 certificate error per week browsing the web "in the wild".
I've learned how to click through. I barely consciously notice them anymore.

------
jorgeleo
I think that part of the problem is that security is not explained in layman
terms. There is a slang in security circles that it is not shared with the
rest of the world.

Here is an example on how to explain SSL in simple terms. I have not seen many
of this kind of water down explanations

[http://relprog.com/blog/internet-ssl-certificates-
explained-...](http://relprog.com/blog/internet-ssl-certificates-explained-to-
your-parents/)

~~~
taeric
You should read the article. It isn't about rationally rejecting something
that is "too complicated." It is about the overall cost for some of these
security tips exceeding what is lost to the attacks they protect against.

~~~
jorgeleo
I did read both article, Schneier's comments and the paper it self. Very
interesting analysis of user behavior.

The first paragraph of the conclusion begins with: "“Given a choice between
dancing pigs and security, users will pick dancing pigs every time.” While
amusing, this is unfair: users are never offered security, either on its own
or as an alternative to anything else."

User do get offer security in many ways: red web pages warning of an unsecure
redirect, open lock icons on the address bar, etc. But the dancing pigs will
be more amusing until the user understand the underlying concept of the
warnings. Security must begin with education. Kindergarden level education.

The last paragraph of the conclusion ends with: "How did we manage to get
things so wrong? In speaking of worst-case rather than average harm we have
enormously exaggerated the value of advice. In evaluating advice solely on
benefit we have implicitly valued user time and effort at zero."

My point is that part of the answer should be making things understandable.
Making things understandable to everybody will reduce the cost of dealing with
them.

~~~
ObviousScience
But his analysis applies even to highly technical users, for whom the problem
is clearly not understanding.

The reality is I had an argument about why we should be writing down passwords
at work, because the projected security benefit of preventing a full breach is
still less than the expected benefit of not losing our data all the time.

Could we have set up a better, more technical PKI than notes in the safe?
Probably. But I'm not sure it would get us ahead on the cost/benefit curve.

Real security is about separating your porn watching from your banking; not
about doing your porn watching to the security standards of your banking.

tl;dr: No, dancing pigs are always more amusing. No one wants to live in a
perfectly safe box.

~~~
jorgeleo
I think that we are two sides of the same apple. I completely agree with you.
I think that your argument is sound in terms of technology implementation.

My argument talks about motivation, not implementation.

------
Smushman
This article is from 2009. Most recent comment from 2010.

Possibly, it is meant as a reminder of something that we should all not
forget?

Would the submitter please take the time to clarify the reasoning for necroing
this article?

~~~
bargl
Even though this is the first time this article has been posted on HN.
Security advice is so quickly outdated that this article very likely isn't
relevant today.

I don't know how prevelant some of the password management tools and two
factor authentication was in 2009, but it's common to use them now. Browsers
are more sophisticated and the landscape has changed a lot.

That all said the sentiment of the article still stands true. Users (like my
family) hate worrying about security.

~~~
Karunamon
I'm not sure the advice or the conclusions are at all outdated...

* Updates still suck, users still can't tell the difference between fake and real ones

* Passwords are still annoying

* 2FA exists, is better than 5 years ago, but most people don't use it because, and this is the articles point, it's still annoying

* Recognizing phishing URLs can still be hard to do, even for tech savvy people

* Cert errors are still false positives (in that there is no danger, not that there is a technical issue) more often than not

~~~
bargl
>* Updates still suck, users still can't tell the difference between fake and
real ones

Browsers now automatically update. There is the issue with adobe updates, but
automatic updates make this different. Yes they still suck on many
applications, but doesn't that affect the article?

>* Passwords are still annoying

LastPass, keePass and other tools give uses a _much_ more simplified way to
access our accounts. Also being able to link Google/Facebook to an account
does the same thing.

This article isn't 100% outdated, but it needs an update to address some of
the changes that are there.

What about HTTP vs HTTPS and signing in over starbucks? Does your average user
know about that.?

This is an issue of education and how to get the most bang for your buck, 2
factor authentication (easy), Password Management Software (easy), letting
google/facebook/etc authenticate your account (easy).

There are ways to make peoples lives easier AND more secure, I don't know if
these tools existed back then but I've been using LastPass for 2 years and
back then it was clunky to use. Now I personally find it easy as heck. I'm
more secure (then I was) and my life is easier. To that end this article needs
an update.

~~~
monknomo
If password management software was so easy, my mom would use it and my dad
wouldn't call tech support every week to figure out how to use his. I'll say
that it's better than it has been, but I can't call it easy.

