February 20, 2005
Security usability
The IETF has a web form for subscribing to the IETF-Announce mailing list. The form has this admonition:
Do not use a valuable password as it will occasionally be emailed back to you in cleartext.
This admonition is a gentle reminder that not all passwords are equal.
But considered at a different level, it's a reminder that security is not easy for users. Just considering this one specific issue, we note that different passwords -- and different password strengths -- are required for different functions. A password that you use to update your mailing list subscription and a password that you use to update your bank account are vastly different in value. So, an interesting question might be: how many levels of passwords should I have? Just right at the start, I know I need at least two: one for mailing list subscriptions and one for bank accounts. How many more? Typical individuals don't want to think about these questions.
A related issue is the sharing of personal information. Whom should you give your cell phone number to? Whom should you give your instant messaging ID to? Whom should you give your email address to? Which email address? How many different email addresses or instant messaging IDs should you have?
Posted by Doug Sauder at February 20, 2005 09:31 AM