
‘Security Fatigue’ Can Cause Computer Users to Feel Hopeless and Act Recklessly - molecule
https://www.nist.gov/news-events/news/2016/10/security-fatigue-can-cause-computer-users-feel-hopeless-and-act-recklessly
======
shp0ngle
I don't have a security fatigue, but I sure have 'privacy fatigue'.

I should worry about Google knowing this and that about me, I should worry
about the stupid retargeting and the fact that if I do something online, it
follows me through the web with banners and "youtube recommendations". And
that everything is saved and googlable and everyone can know everything about
me.

And I used to be worried, but now, I gave up. The assault of the security
sucking companies is too high - Facebook and Google has the best engineers and
everyone loves their open source code - and it's just way too convenient.

Sorry for unrelated ranting.

~~~
iamshs
A related Google story:- In Canada, I used to have a rooted nexus device which
used to be my daily driver until I choose to switch over to Apple around 2
(maybe 3) or so years back. Before moving to Australia, I totally wiped it all
up, and yesterday fired it up and setup a fake email account on Gmail to
access Play store. It does not have a SIM card, but the fake email account
asked for my Phone Number verification, and had my Canadian number already
pre-filled. I was totally creeped out. I am out of explanation, except maybe
connecting to my Canadian Wi-Fi address after wiping it all up (But wifi was
used by 5 other people too). I have never used it to call anyone up after
wiping it, and haven't had SIM card in it since. It runs Cyanogen too. You
cannot deceive Google, it is futile. I will just stop at running ublock origin
and ghostery in my browser, until they deceive me too. Nowadays, you cannot
even create an email account on gmail or outlook without giving away your
phone number. The scale is not titled towards us.

~~~
gnicholas
I recently downloaded the UberEats app on my iPhone. When I opened it for the
first time, it pre-filled the email address I use for Uber and asked if I
wanted to proceed with that. I don't know where they got this info from, but
it sure creeped me out.

I would hope Apple would make an app ask permission before grabbing my email
address from my contact card, and I have no idea how it could get this
information from the Uber app.

~~~
oarsinsync
I believe apps published by the same developer have the ability to share
information transparently.

Google is doing this with their apps - sign into the gmail app on your iphone,
and chrome, maps and youtube will ask you repeatedly to sign in using the same
creds.

..and looks like it's not limited to same dev. Niantic published apps are also
able to pull out my Google creds. Might be because I have a google account
defined in iOS, might be because they're a former-Goog company and Goog have
given them backdoor details.

Any devs on iOS able to shed any real light on my vague speculation?

~~~
runeb
Since iOS 8 apps can share data on device through so called App Groups if they
are published with the same bundle identifier prefix. For that to happen I
believe they have to be published by the same developer account.

Here is a link about this in the context of sharing data between apps and app
extensions:
[https://developer.apple.com/library/content/documentation/Ge...](https://developer.apple.com/library/content/documentation/General/Conceptual/ExtensibilityPG/ExtensionScenarios.html)

------
robbrown451
I think one of the worst things is the sites that think they are being "more
secure" by adding extra rules for passwords beyond the typical. If people want
to use the same password for everything -- or maybe better, use one password
for the really important stuff and another password for everything else -- you
really shouldn't try to fight against that be requiring at least one capital
letter and at least one number and at least one symbol (or whatever).

Another obnoxious thing is sites that, when you change your password, don't
let you use one you've used in the last X months.

In both these cases, what happens is that you defeat people's attempts to make
their passwords adhere to some system they can remember. And then they just
says "f*ck it" and do really easy to guess passwords.

~~~
buyx
First National Bank (FNB) in South Africa has adopted every one of these
absurd rules, and more:

Passwords must contain a mixture of upper and lower case letters as well as
one letter and one special character

Length between 7 and 33 characters

Not the same as the previous 12 passwords

The same character cannot be used consecutively

Avoid sequential letters and numbers (123 or abc). I think this used to be
enforced, not sure if it still is.

May not be the same as the name, userid or clientid. As I recall this is
enforced by very aggressively with innocent passwords being rejected because
they happen to have some matching substring.

[https://www.fnb.co.za/demos/reset-username-and-password-
PC.h...](https://www.fnb.co.za/demos/reset-username-and-password-PC.html)
(rules are on the 5th screen in their demo)

I've been using the same password for 3 years because changing passwords is so
brutal. Complaining is futile because of the bullshit cargo culting around
security.

~~~
justinlardinois
> Length between 7 and 33 characters

I've never understood why sites limit password length. You're (hopefully)
hashing it anyways; the length of what the user enters has no bearing on what
you're storing in your database.

~~~
nickpsecurity
"I've never understood why sites limit password length. You're (hopefully)
hashing it anyways; the length of what the user enters has no bearing on what
you're storing in your database."

What if they upload a GB or TB binary as password? I've always wondered but
nobody told me if there's some inherent cut-off that would prevent such a DoS
attack.

~~~
justinlardinois
33 characters (and I often see less) is a far cry from a gigabyte. I think
it's clear I was talking about unreasonably low limits.

~~~
Freak_NL
Exactly, such anti-abuse limits would start at, say, 256 characters. The
amount of banks and services that limit their passwords to 20 characters or
fewer is startling.

~~~
mrec
I've seen even worse than that - for low-importance passwords I normally
record them in a mail-to-self memo then paste them into the signup form. I
recently encountered one site that _silently_ truncated the pasted password.

~~~
justinlardinois
While silent truncation is of course bad because it limits the potential
entropy of a password, if implemented consistently it's _technically_ not any
worse than a limit that's presented to the user. But just wait until the new
hire doesn't know about it and implements a form without it, and then all of
the sudden users are entering the same "long" passwords they always have and
scratching their heads when it fails.

------
colordrops
"Security Fatigue", or just plain old drowning? I'm a software engineer and I
feel like it's impossible to completely secure my hardware. It's a full time
professional job to secure a computer, and at some point you just give up and
do the best you can, knowing there are probably several holes in your security
you aren't even aware of.

~~~
leereeves
Countless computers secured by full time professionals have been hacked.

The safest course is to assume that if it's connected to the Internet, it's
not secure.

~~~
ythl
> Countless computers secured by full time professionals have been hacked.

And yet, the black hats who breach such systems often have an attitude like
"Wow, such a reputable organization has such sorry security. They deserve what
I did to them".

Computer security is a black hole that will consume ever increasing amounts of
money, memory, and cpu cycles, forever. What a waste.

~~~
anf
> Computer security is a black hole that will consume ever increasing amounts
> of money, memory, and cpu cycles, forever. What a waste.

That is defeatist and false. Computer security done intelligently can raise
the cost of an attack above the value of what is being protected.

~~~
Spooky23
No way. Computer security is like a tax whose returns diminish rapidly.

Once you start prioritizing it with money on security vs product/system
engineering, security starts turning into a money monster that delivers
nothing. I've seen it happen time and time again.

The asymmetric nature of raising the cost for an attacker is a red herring.
You can pat yourself on the back that you've supposedly made it 100x more
expensive to attack you, but one operational fuckup pops that fantasy bubble
at any time.

~~~
dom0
I have to agree here. Security in itself is highly asymmetrical, because _any
single flaw_ can prove fatal, even with the latest and greatest defense-in-
depth techniques.

Not to forget the many, many instances where security systems actively harmed
/ enabled attacks.

------
patmcguire
Yeah, I definitely reuse passwords for things, and not always strong ones. I
do have a certain nihilistic resignation about the whole thing: sure, I can
turn on two factor auth with a different automatically generated GUID password
I keep in a password manager, but anyone can open up a line of credit anywhere
in the country under my name if they know one 9 digit number that isn't really
secret and can never be changed.

What's the point?

~~~
raesene9
For me the point lies in avoiding the hassle of getting a notification from
haveibeenpwned.com that one of my accounts has been compromised and having to
worry where else I used that username/password combo.

That's why I user a password safe so that when that happens (at least 4 times
to date), I can just shrug my shoulders and move on, resetting just that one
password if I still use the site.

------
tetrep
It's unfortunate that "good UX" isn't really considered across _all_ fields
which have users. The recommendations to mitigate security fatigue are no
different than any sort of user frustration:

1\. Limit the number of ~~security~~ decisions users need to make;

2\. Make it simple for users to choose the right ~~security~~ action; and

3\. Design for consistent decision making whenever possible.

~~~
ethbro
#2 is part of the problem. Users typically aren't informed enough to know the
right action. I think that's one of the reasons we are in the current mess
we're in.

Attempting to explain the situation in plane, simple language is a better
approach in my opinion.

~~~
magila
I'm not sure you could come up with language plain or simple enough, if for no
other reason than because most people will not read it regardless.

------
GigabyteCoin
>Security fatigue is defined in the study as a weariness or reluctance to deal
with computer security.

Can that even be defined if it completely overlaps the umbrella of "people who
use computers but are not IT professionals".

One of my friend's passwords for everything is expl0r3r and has been for years
because his family drove a ford explorer when he was younger.

Another buddy's password for everything is "Duncan" ... because his dog is
named duncan.

Pretty much everybody else I know has their password literally stickied to the
side of their monitor or sitting on their desk somewhere.

Can "Security Fatigue" really be a thing if the entire world is subject to it?

~~~
anf
It happens to IT professionals, as well. "Shit, I just gotta get this done,
let's do it like this and re-evaluate later". Look at the $10k bounties on
hackerone.com -- many bugs are clearly from people who are not operating at
their best.

------
Area12
From an old IT guy, none of this is new ... Scott Adams (of Dilbert) noted it
in 1998:
[http://dilbert.com/strip/1998-04-06](http://dilbert.com/strip/1998-04-06)

That was 18 years ago.

Particularly raw for Dilbert: "Squeal like a pig" is from the 1972 movie
"Deliverance" and refers to a assault that was one of the most disturbing US
mainstream movie scenes of the 1970s.

The only real improvement in all that time that I can think of: password
managers. I almost said Single Sign On, but that comes with its own security
issues.

~~~
nutjob123
Two factor authentication is a major improvement. Combined with a password
manager is a pretty good combination.

~~~
tajen
> Combined with a password manager is a pretty good combination.

So 2FA combines something you have (your phone) with something your phone
knows.

~~~
rahkiin
Exactly! And I use 1Password so I also have the tokens on my computer,
together with my passwords. Replay attacks get harder though.

~~~
justinlardinois
I think his point was that if your password is stored on your phone, two
factor authentication doesn't actually add any security because it's no longer
two factor.

------
raesene9
I'm not really surprised to see this at all. The probem of non-technical users
being asked to operate systems in what is a very hostile environment (The
Internet) has been evident for a while.

My prediction is that this will lead to even more of a rise of walled garden
style ecosystems, where this problem is at least partially managed for the
user by the owner of the ecosystem.

So for example if I use iOS apps for everything I can let them handle
authentication for me and use my fingerprint, which is a much much nicer user
experience than remembering a load of passwords.

Of course that's not great for the open web, but this very much feels like a
tragedy of the commons to me, everyone knows better security is needed, but
no-one wants to be the body leading the charge as it's a really hard problem
to solve.

~~~
PhantomGremlin
_So for example if I use iOS apps for everything I can let them handle
authentication for me and use my fingerprint, which is a much much nicer user
experience than remembering a load of passwords._

I'm two-thirds of the way thru the comments here, and you are the first to
mention this. And yet, as you say, it's a "much much" nicer experience. I've
started allowing iOS apps to identify me by fingerprint, and it's a lot more
pleasant to do that than to type in some crazy long password.

~~~
_Understated_
But the problem with using your fingerprint as your "password" in this case is
that if your fingerprint becomes compromised you are royally fucked: You can't
ever change it! Fingerprints should be usernames, not passwords.

------
ocdtrekkie
One of the worst ones is those malicious "your computer has been infected"
ads, that web browsers allow to disable to close tab buttons with message box
windows and such. Users get frustrated, and give up and call the phone number,
pay the $250, etc.

It's very hard for me to convince people that:

A. More than likely anything you do before you call me, is going to make it
worse.

B. You can always just shut off your PC.

~~~
sp332
I've never seen a webpage disable the "close tab" button. Are you sure your
computer isn't already infected?

~~~
ocdtrekkie
Have you ever gotten a popup message box in a web browser before? Pretty much
all web browsers support them, and you can't click on any browser UI until you
address the prompt.

~~~
david-given
...and then the web page can pop up another alert before you have time to do
anything else.

    
    
        for (;;) alert("spam!");
    

Chrome will, at least, give you an option to disable the alerts if it thinks
you're getting them too often, but by that point you're well into scary
territory.

Footnote: just tried it in Chrome, and after disabling popups I got a tab
which was spinning using 100% CPU and which was completely uninteractive. I
couldn't even close it using the x on the tab and I had to kill it via the
Chrome task manager. Hmmm...

~~~
clarry
There was a time when using vimperator with firefox you'd always be able to
focus the command prompt and enter a command like :q to close the tab, even if
there's an active alert popup on the screen.

It's hilarious to me that this thing is _still_ a problem when it's
technically trivial to solve.

Actually I don't know if the feature was due to vimperator, firefox, or just
my window manager.

------
mtgx
This seems to be mostly about "having to remember too many passwords":

> _“Years ago, you had one password to keep up with at work,” she said. “Now
> people are being asked to remember 25 or 30. We haven’t really thought about
> cybersecurity expanding and what it has done to people.”_

So why not switch to using password managers and hardware tokens then?

~~~
clarry
Password managers are just another tradeoff of insecure vs inconvenient.

All credentials under one master password? Single point of failure. You could
use more passwords, but we are heading back to square one then.

Next you have to decide where to make your passwords accessible for yourself.
Do you also want them on the phone? Because if you don't, it can get kinda
inconvenient. On the other hand, I'm quite positive my phone has more
exploitable security issues than my laptop. Same for all other devices you
might use. What about devices that are shared by other people? You lock
yourself out of the things for which you've opted to use the password manager,
or you expose it to the security issues on the said devices.

I'd rather just have less stupid passwords to begin with. Why do most stores
require an account for me to place an order? Not for my security. Forums,
boards, other places.. anonymous posting without accounts works just fine, and
there are ways to create a persistent identity for those who want it, without
requiring it from everybody. Yet most "social" sites require accounts. Mostly
not for my security.

~~~
EvilTerran
_I 'd rather just have less stupid passwords to begin with. Why do most stores
require an account for me to place an order? Not for my security. [...] most
"social" sites require accounts. Mostly not for my security._

True, that. It seems many sites insist on user accounts more for their benefit
than yours - they want your email address so they can nag you towards their
"funnels" for further profit opportunities, along with whatever personal
and/or demographic information they can scrounge for their analytics, etc.
They require you to make an account, not for your security, but merely as a
premise to part you with your juicy monetisable data.

~~~
user_bin_nice
Create different personas for each site. This includes different
usernames/emails. A password manager helps to manage this type of
compartmentalization.

------
dkfmn
For the love of all that's holy, my local pizza shop does NOT need a secure
password. They don't even store my credit card. I honestly do not care if
someone logs in and see's my favorite order.

------
tpeo
The phrase "security fatigue" makes me raise an eyebrow. Are these guys
implying I _should_ keep track of twenty or thirty passwords, but I just can't
keep up?

Frankly, if it's not something I use everyday and care about, I can't be
bothered to put a strong password in it.

------
ben_jones
Have end users felt major repercussions from any of the large hacks that have
happened in the last five years? I feel like it actually induces _positive_
feedback, at least from some consumer companies. For example sony got hacked
and users got (2?) free games. The government got hacked and users got free
credit monitoring. I understand such hacks fuel credit card fraud and identity
theft, but at least in my small non-tech circle this has been a nonfactor.

------
zerognowl
Qubes + Whonix + Store-bought Thinkpad with the motherboard/circuitry xrayed
and diffed with other 'clean' / non-tampered Thinkpads = Win

Bonus points for:

\- Basic internet hygiene. Clear that history!

\- Compartmentalization. Don't put all your eggs in one basket!

\- Low footprint. Don't stand out in the crowd!

\- Avoid prismware like Windows at all costs!

\- Blanket encrypt _everything_ no matter how non controversial it is!

\- Throw out your smartphone! Buy all the old Nokias!

\- Don't order laptops from Amazon!

~~~
qntty
can't tell if this is satire or not

~~~
zerognowl
I told my friend they should use a secure setup like this, and I was laughed
at. It might sound like satire, but those are baseline procedures for working
with the web now. As soon as you connect a computer to the Public Internet it
instantly becomes a target, and needs to be hardened as such.

------
abalone
This is why Touch ID & iCloud Keychain are such important advancements. It's
not enough to make it possible to securely manage passwords. You also have to
make it easy.

------
awongh
Is it possible that a startup could come into this space and solve some of
this problem?

Something between _all your passwords are belong to us_ walled garden touch id
scheme and tin foil hat must memorize new 20 char randomized password every 10
months setup....

It seems that answers to this problem fall into one extreme or the other, but
I would personally use a solution somewhere between the two that gave me peace
of mind and was convenient at the same time.

This would probably be a password manager type thing / cloud solution? Maybe
open source?

Some things I'd like to see: \- secure passwords where appropriate: do I need
my pinterest account to be _super secure_? \- 2 factor auth where appropriate:
protect my bank accounts, etc. \- tell me when there's been a breach and
prompt me to change my password- who can keep track of all the times I need to
change my password? \- let me have a rememberable password sometimes-
sometimes I need to log into something not on my personal phone / computer
etc. \- don't let the nsa spy on me/ my cloud account / make it harder than
normal \- maybe integrate with keyfobs / security hardware where appropriate

thats some stuff of the top of my head but there are so many little catches in
dealing with passwords that I would be happy to pay for a product that helped
me manage it in the right way.

I wonder if there are others out there that fall into this same middle ground
of, secure, private, good-enough?

~~~
TheDrizzle43
There's already a few popular services that do password management i.e.
LastPass & 1password. Unless you are describing something different?

------
raarts
1password almost completely solved this problem for me. Something like it
should become part of the OS. Although I wish the agilebits people all the
best...

~~~
filoeleven
Apple's iCloud Keychain has this built-in. Of course, it only works in Safari,
and you have to use iCloud...

~~~
kalleboo
On the Mac, third-party apps also have access to the Keychain (not just
Safari). On iOS, each developer only has their own keychain.

------
0xcde4c3db
The silly password rules aren't great, but on the whole I think of the issue
more as "account fatigue" (which is sort of mentioned in the opening paragraph
and then largely ignored). At work alone, I have:

1) A Windows domain account

2) A GitHub account

3/4) Accounts for two separate project management web apps

5) An account for our own web app

6) An account for the payroll web app

7) An account for the HR performance appraisal web app

8) An account to register for on-site flu shots

9) An account on a project development VM

10) An account for the outsourced IT security training

And probably a few more that I forgot because I'm not in front of my password
manager right now.

It also doesn't help that we have a narrative around "identity theft" that
puts virtually all of the burden of a leak on the account holder, even in
cases where it was unequivocally the company's security that failed.

------
sumitgt
Looks like most of the problems these users have can easily be solved by using
something like Lastpass.

I personally feel like people who are tech-savvy should encourage and teach
everyone else to use password managers.

~~~
Gruselbauer
LastPass + 2FA here. I remember _one_ diceware-style master password, the
device creating the 2FA tokens has never even entered it, much less the app
for LP. 16-100 character randomised alphanumeric+special passwords for every
account, no need to remember a single one. Their browser extension is really
good, too.

Oh and the passphrases for my PGP and SSH keys. Also stored in my LP vault.

Can I be bothered to care more than that? Nope.

------
sslmann2199
Past

------
jungletek
It's not security fatigue, it's just old-fashioned laziness combined with
ignorance, compounded by the "on-a-computer" rationale that makes 'normal'
people turn their brain off because they treat this box like it's black magic
rather than trying to understand it.

That they 'have' to use this box for work or recreation, rather than having a
curiosity that fuels learning and exploration and therefore better
understanding, leads to them feeling like they're at the mercy of the machine,
rather than the master of it.

~~~
mordechai9000
I am mystified that people have so much trouble grasping basic computer
concepts. But from the users' perspective, technologists have foisted a system
on them that seems to be poorly made and requires a high level of expertise to
use safely. Blaming the user when they are victimized by someone taking
advantage of a shoddy system is, well, victim blaming.

~~~
blacksmith_tb
It's analogous to people understanding how their cars work. Many people are
capable drivers but have no idea at all about what goes on in the engine,
transmission, etc. Would understanding those improve their driving?
Potentially (especially in cases where they fail), but clearly it isn't a
requirement. But like you say, the bar seems to be higher for computing.

~~~
mordechai9000
I was tempted to use a car analogy, but I resisted. It seems apt to me. I
"have" to drive a car for work and recreation. I know a little bit about it,
but I am not an expert, and I don't want to be. I have too many demands on my
time already. I'm happy to pay the manufacturer and the mechanics to be the
experts.

~~~
serge2k
and if your computer is broken that makes sense.

But you still probably know how to drive, pump gas, and do basic things like
change a tire. You have controls that you understand for things like the radio
or cruise control, and you will check the manual if you want to set the clock.

On computers people just say fuck it.

