Are Usability & Security Opposites in Computing?

krozinov writes "Instinct tells us that computer security and computer usability are inversely proportional to each other. In other words, the tougher and stricter the security is, the less usability there is, and vice versa. However, there have been plenty of cases where both computer security and computer usability went hand in hand with each other and actually improved together. In the last few years security has been the biggest buzzword in computer systems and as such has become part of our computer systems. Before that, computer systems were all about getting it done faster and easier, but now they must also do it securely. Can the two continue growing together? This paper argues that it can, as evident by the most recent Indian Assembly Election."

My Soapbox

[rednip]

My best example of where 'increased security' actually defeats it's purpose is rapid password expiration. I've seen password policies which force a user to change their password every thirty days The problem is that most users have trouble remembering passwords. This 'forces' users to do two things,

1. create a series of passwords, which may be as simple as adding a number to the end.
2. or, write down passwords

System Admins and Managers can force unique passwords, keep a long password history, and check desks, but then the burdon falls more heavly on their help desk system.

No matter what the password policy eventually users will need to have a password reset, each time is a cost on the tech support system. Proper security whould have a security officer phyically identify each user before reset but that would be costly, so they instead ask a couple of profile questions. Which open up social engineering issues. So generally, the harder your password policies are, then the easier your reset policies need to be, (unless cost really isn't an issue).

Re:My Soapbox

I find that sites with single-sign ons have much less of a problem with users forgetting passwords, even when they must change them frequently.

Its when we force them to remember several user/passes that they get into trouble. Especially if the systems all have different password policies and/or naming conventions.

If only there were a true, inexpensive, and easy to setup/maintain single sign-on solution.

Re:My Soapbox

[XMyth]

to clarify: not "cleartext" but rather in encrypted OR cleartext. Neither is good. A password hash is best.

Re:My Soapbox

[Meostro]

So you claim that you read Applied Cryptography, and yet you use a proprietary/secret method, not obviously subjected to peer review, to generate your "secure" passwords?

You, sir, are probably an idiot.

Your idea is interesting and overall it sounds sensible, but unless others poke and prod at the exact details, you'll never know if your passwords really are secure or not.

Re:My Soapbox

[SanGrail]

Sounds interesting...
I Am Not A Crytography expert, so I was just wondering if you could explain further why *excluding* punctuation and numbers was harder to crack?
If you didn't know *which* characters were letters, numbers, or punctuation, wouldn't that mean instead of just trying 26^10 combinations, you'd be doing (26+10+punctuation?)^10?

On the other hand, I do definately agree that having more memorable passwords (usually pronounceable), definately pays off, as while there's a higher probability of vowels or 'l33t' vowel-numbers, I figure that people not constantly forgetting them pays off security-wise.

Re:No.

[A+beautiful+mind]

Imo, usability is part of security, since both come from the same "trunk": design. You could never design a good, not bloated, usable application without good design, which includes planning good on security aswell...

Re:No.

[sporty]

Of course you can. Security only means you are who you are and you can do what you can do. Simplest secure app I can think of actually, is ssh. Back it up with something that checks the difficulty of passwords, and you have something that allows access to a foreign system easily. The ease of use of the rest of the system on the other side is totally seperated from the security.

Not sure this article has a good starting premise.

[Singletoned]

"Instinct tells us that computer security and computer usability are inversely proportional to each other."

I don't think this is particularly true. In all walks of life, if something is more usuable, then it tends to be more secure, if only because if it is easier to lock something then people are more likely to lock it.

If it is easy to use the security features on a computer, people will. A lot of home routers tend to be left in an insecure state simple because securing them is too complicated and it is the type of task that can only be done if you already know how to do it.

I would be willing to bet that if you did a survey of the broadband routers installed by 'normal' home users, the ones with the highest usability of the firmware, would also tend to be the ones that have been scured the most.

people don't understand a little complexity

[xutopia]

People idea of usability is usually that programs work the way they are meant without asking for too much help to do their job. For example a usability feature of Internet Explorer was to automatically execute .doc file viewers when you downloaded them. The action of executing automatically is wonderful and for many is seen as a great usability enhancement. But what happens when the .doc file can be programmed to do all kinds of problems on your computer? What if that automatically executed script within causes havoc with other seemingly non-related things? Then what is the overall usability benefit there? Negative if you ask many people.

The hassle of viruses, worms and other crap which appear on people's machine causes many usability problems in my book. The more maintenance you need to do on a machine the less usable it is. A windows machine needs plenty of work to keep up with updates, spyware, adwares and viruses. On the other hand the OS which doesn't execute things automatically when you visit a web site doesn't require as much maintenance.

I always use the analogy of cars. Cars have locks on their doors, then you have to use your key to turn the motor on. Now imagine cars without locks on their doors. One less hassle in the way of doing what you want right? How about no keys to turn on the car. It automatically turns on when you put your seat belt on. Wow! What an amazing car!! Guess what though? That type of car wouldn't stay in the driveway for very long. Well a Windows computer is that type of usable car that doesn't stay in your driveway for very long. Linux might ask you to put a key in the door and turn the engine on with that same key but at least it's still in the driveway when you need it.

Usability? How about accessibility?

[digitect]

Architecturally, it is generally accepted that the security of a building is opposed to it's accessibility. Take for example a grocery store. The ease with which customers can get in and out is directly related to how easy it is for the place to be robbed. Movie theater design is similar.

However, usability overcomes some of these problems by making entrances obvious, door opening automatic, lighting bright, etc. I believe a comnputer interface should be the same. Just because I have to remember a password, doesn't mean that entering it need be. Perhaps many passwords presents a different problem, but one of the supposed ideals behind biometric data is that it can be greatly complex and yet still readily available. But does that mean it's less secure?

Hmm

Usability, security and cheapness. You can have any two

What a silly question.

[grub]

Can the two continue growing together?

I've used OpenBSD on my desktop for ages. Pick a nice WM and you're set.

Security does not preclude usability.

No.

[zerguy]

You're computer isn't very usable if it gets polluted by viruses :)

Seriously though, there is an inconvenience, but that's all. I have to configure my router to let BitTorrent through, but the fact that I have to do this gives me an immense boost to my computer's security, by virtue of the fact that nothing is sent to my comp's ports unless I tell the router to let it through.

Re:Not sure this article has a good starting premi

[NeoSkandranon]

I agree with you about the broadband firmware, but you would probably also find that the most "secure" routers are also the ones behind which it is the gretest hassle to play games, use p2p apps and various other direct-connect items, therefore its usablity to the average user is less.

No, I call that bad intuition.

[dnoyeb]

Useability is what happens after security is cleared. Securitys whole point is to give useability to those that are authorized to have it. If security is interfering with useability, then you will find that even people with authorization will start looking for ways to subvert it. Thus, any security that interfers with useability is bad security.

Its kind of like welding car doors shut and calling it more secure. It is until people start entering through the windows on a daily basis.

Just look at CD copy security measures that get cracked in minutes because they interfere with useability.

Re:No, I call that bad intuition.

[eno2001]

The usability problem occurs during authorization. People don't like to remember complex passwords, so they pick something easy to remember (and figure out) or they write it down on a picec of paper. Or if you use a token authentication system like RSA tokens (with the random number for logging in) then you have added a level of complexity that most users are confounded by. We get calls where I work on a frequent basis because the users can't deal with the tokens. With SSH and static keys, you have the option of using a passphrase. But many people opt for a blank passphrase so there is nothing to type. Here is the ideal:

1. You touch a computer, it knows who you are by some mystical means and grants you access.
2. You don't need to remember anything. No passwords, no voice print, no finger print, no retinal scan, nothing. It just knows who you are.
3. Once it's determined who you are, then it knows what you are allowed to do.

What is needed is an authentication mechanism that works in the same way that we "authenticate" our friends and family to interact with us. If you see your wife, husband, girlfriend, boyfriend or child, you have a predfined "access list" that allows them access to your resources. The authentication is that you know your relationship to them. A girlfriend or boyfriend may allow sexual contact with their partner that they wouldn't allow to their child or parent. Pretty basic, but that's what most people (deep down) want from their machines. (No. Not the sex you idiot, the access to a resource) Until machines can actually recognize us (which probably won't happen until they know themselves), I think we're going to have this usability/security problem.

Re:No.

[Nosf3ratu]

Firefox is more inheritly secure than IE. Firefox is easier to use than IE. Tabs are easier to manage than multiple windows. Not having a "SHOOT THE MONKEY LOL" flash ad pop up when I'm trying to read the news -- or highly sexual suggestive ad for "HOT GIRLS ON UR DESKTOP", for that matter, makes using the internet easier. Letting me know that a popup has been blocked is nice. Being able to just hit F3 to "Find next" intead of keeping a floating Find dialogue GUI covering up the text I'm actually looking for makes it easier to use. Things can be secure and easy to use, it's just not the case usually, in the case of closed source software. Companies that care about maximizing profits from their code don't benefit from tightened security. Deadlines must be met. Customers' mouths must be fed.

Re:Not sure this article has a good starting premi

[nine-times]

I think what we really perceive is that "security" and "ignorant/inattentive accessibility" are inversely proportional. Meaning, how secure your computer is is inversely proportional to how easily you can access it without having any idea of what you're doing. If things are secure, you need to know how to operate things, and have passwords memorized, and you generall need to pay attention to what you're doing. Plus, in general, inaccessable means more secure (all else being equal). But once you have access, I don't see any reason why a secure system can't be useable.

Perhaps you could word it more meaningfully as "security vs. freedom". Those two generally have to battle it out, and not just when it comes to computers. For a computer example, if you secure a machine from user tampering, the users won't be able to change everything they want. If you don't allow users to delete files, then they might not always be able to delete the files they want. However, this need not affect usability when it comes to useful tasks.

Speaking of freedom and security, someone wanna lay out the Franklin quote? (I bet it shows up in this post before the day is done).

Security & Usability Opposites?

[demon_2k]

Security & usability opposites? No, an application can be secure and just as usefull.

Security & ease of use on the otherhand. Security is an inconvinience when it comes to ease of use.

Look at automatic login (In Windows XP or Linux) for example. Convinient? Yes. Easy? Reasonable easy to setup. Secure? Unless the console is in a bunker bunker with you and no one else. Not really.

You're mis-quoting me. I called it...

[Zarf]

I called it the Security to Convenience scale. Where 10 is perfectly secure and 1 is perfectly easy to use. However, in this notion security features can be seen as usability bugs.

I've already discussed this humorously here. The point being that if you really want to you can see things like BSODs as security features. Difficulty in configuration can be seen as a usability feature because it prevents security.

If you squint hard enough all bugs are features and all features are bugs. This view point is utterly useless in the real world, however, strangely orthogonal it may be. It still bears thought for the system designer to consider that his perfectly secure system may render the system so close to useless as to make it practically so... and thus cost him his job either directly or indirectly.

Well, here's an experiment you can do at home...

[Weaselmancer]

Are Usability & Security Opposites in Computing?

I propose the following experiment. Yes, yes I know there are service packs and patches available, that's why I'm calling this an experiment.

Take a Windows XP CD and load it onto a system you're not using for anything important at the moment. Do not connect it to a network in any way, shape, or form. Load the PC up with applications. Roughly judge load times, mouse and keyboard times...mess around with it a while and see how responsive it is. Not too bad, right? Fairly useable.

Now, plug your netcard directly into your net. No firewall. I suggest plugging the box directly into a cablemodem. Wait 24 hours.

Notice any difference? This is exactly why Usability and Security are NOT opposites. Any box that's running 99% cpu with malware and viruses is damn near unusable.

Security vs convenience

[jacksonps4]

There is often a trade-off between security and convenience rather than usability. It is necessary to strike the right balance between the two. There is little point in adding layer upon layer of security for something which is not worth protecting. Equally, a little inconvenience can be justified for the protection of something valuable.

Security, Ease of Use, Ease of Design -- choose 2

[stevelinton]

There are brilliant designs that are both simple to use and secure (and usually simple to build into the bargain). The problem is that there are not so many
brilliant designers out there. Coming up with these designs often involves novel functional decompositions, new UI metaphors, unusually structures interfaces or something else that is hard to get to by "normal" design processes.

Usability and security are opposing forces, iff

[Jerf]

Usability and security are opposing forces, if and only if the program has optimal usability and security. To make such a program more usable, by definition it requires removing a feature, or compromising security to make it easier. To make such a program more secure, it requires either removing a feature or adversely affecting usability by adding another hoop to jump through.

Note they aren't strictly speaking opposing forces, since "remove features" can both enhance security and usability. It's just that if your program is already optimal and you need to push it harder, something else has to give.

You don't have to be a cynic to observe few programs are optimal, and therefore most software engineers don't have to think in this way. Thus, as a practical matter in the current environment, no, they are not opposed. But they should be.

(As a PS, I'd define security as "Ensuring the computer does what the owner wants, no more, and no less, with the computer owner having all relevant information about and control over what the computer does." But that definition has yet another idealogical focus, no?)

The two opposies

[erroneus]

The two opposites are "Complexity vs. Security." Those two exist as opposites only through casual analysis and not as a hard rule. The root of the problem being bad programming. (No finger-pointing needed... the culprit might be a lazy programmer or a demanding boss who cares more about the deadline than quality tested code.)

The fact seems to be that the more complex something becomes, the easier it is to break. So in reality, we should expect to see security improvements with decreased complexity in the U.I. As for other methods of hacking software (such as non-UI doors like APIs and network related exploits) the same rules might apply where keeping the complexity to a minimum might easily lead into less opportunity for exploits and thereby improving security.

Frankly, from where I sit (a non-developer with a basic understanding of programing concepts) I think security issues arrise from really bad programming habits and it's a damned shame that it's just not taught in school... for example, getting graded on your code by avoiding exploitable coding practices and such. As it is, security-minded coding is something that is gained through experience...usually a bad experience.

Simplicity

[uid100]

I've said before and I'll say it again.

"Simplicity is the key to security and usability"

Problems arise in both area's when you try cramming in features at the last minute. Scope/Feature creep are what makes systems (almost anything) indecure/unreliable and ultimatly unusable.

secure != pain in the ass

[myowntrueself]

Something I read somewhere;

'Some people are of the mistaken impression that being secure is synonymous with being a big pain in the ass'

Its so true...

Good example: SSH vs. Telnet

[gweihir]

With SSH I can have secure remote login without password. In addition I get nice things like port-forwarding and compressed connections.

With Telnet I had less functionality, little security and had to either use my password each time or have even less security (rhosts).

usefull things with one button

[ajrs]

...Most people forget that computers should only have one button.

I tried to think of all of the usefull things that I own with one and only one button: flashlight, some of the electrical circuits in my house, electric toothbrush, signal booster for headphones, Taboo buzzer. It's a pretty short list.

If your computer can figure out exactly what I want to do with only 1 button, you should do it without me having to press it.

Security is a feature.

[matman]

Security is about mitigating risks. Users can not be asked to mitigate risks that they don't understand or believe in. Users must either a) choose to mitigate the risks or b) be forced to mitigate the risks.

If a user places them self at risk they should have the option to have that risk mitigated. If mitigating the risk causes the user no pain (no extra user action) then automatically mitigating the risk is fine; otherwise, risk mitigation should be opt-in/out-able.

If a system exposes some other entity which has control of the system to risk, that entity may require that if the system is used, the risks to that entity be mitigated. Thus users will be forced to accept the security measures. While some users will try to work around the measures, the measures are required. The measures should be made as easy as possible to accept, though education, reduction of overhead to the user, etc.

This applies to all kinds of security, including law. Drug laws are a good example. "Society" feels at risk from drugs, imposes security measures against drugs, and some "users of society" work around those measures to do drugs anyway. Society tries to make the laws easier to obey through education (propaganda?), by limiting access to drugs, by making drug use riskier, etc. The people that have problems with these laws are those people which do not agree with the risk assessment by society (many) and those which do not care about society but do agree with the risk assessment (few).

Computer security is the same. People have problems with measures when the measures pain them without convincing them of the worth of the cost. You can convince the user by:
- Reducing the cost of the measure to the user (that's UI work).
- Increasing the "return on investment" of the measure perceived by the user (that's education).

So:
- DON'T force security measures on users when the measures only protect the user and when the user doesn't want them.
- DO make the purpose of measures clear.
- DO make the measures as unobtrusive as possible.

Now a lot of risks involving computers do impact more than just the user. Consider worms where local host security hurts your neighbors (as your machine attacks them). This complicates things.

As a human being, you must decide whether you want to force measures on someone that they don't want, to protect only them. I don't like other people forcing decisions on me, so I would implore developers to make such measures optional (on by default if the cost is low and benefit high). You must also decide, whether you will force measures on users that don't want them, for the good of someone other than the user. As an application developer, you must consider that any measure that you force on a user, when they don't want the measure, will be seen by that user as a pain in the ass and will help support competing applications. Also, implementation measures will be criticized for usability just as any part of your application is criticized. There's nothing special about security in terms of usability. UI components for features that users don't understand are distracting and confusing, and bad UI components for features that users do understand are just plain frustrating.

A secure design can be quite usable

[argent]

If you start with only usability in mind, and end up with a design that has inherent security flaws, it's easy to end up in a situation where the only way to improve security is to reduce usability. Internet Explorer is, of course, the poster boy fo rthis problem.

If you start with security in mind, and maintain both security and usability goals, you can end up with a much more secure design that, by the end of the day, is also more usable.

For example, if you build a rendering component that doesn't contain a mechanism for breaking out of its sandbox, and then let specific applications add capabilities that objects they directly provide to the rendering engine can use, you can implement almost every piece of functionality that Microsoft designed ActiveX for without having an ever-tightening ring of increasingly annoying restrictions wrapped about the user.

The only difference is that rather than having Internet Explorer at the core of the system, so that everything ends up looking like part of IE, you have a variety of applications with embedded HTML panes that provide the same functionality.

What do you lose? The ability to have remote web pages embed trusted control inside their web pages... instead you need to explicitly install plugins or, for in-house tools, run an "intranet update" that downloads and updates the apps.

This seems less convenient, until you realise the browser is more convenient in other ways because it's not trying to second-guess everything you do... and, once enough people are using it, the convenience of a more spam- and virus- free mailbox has to count for something.