So let's be honest. Users are users. If they knew what they were doing, we would not need to grumble about them and make fun of them under our breath. But they don't know what they are doing. And they never will. NEVER.
Trying to secure your application through user education can never work. If someone other than you, the developer, will ever use your application, you can assume they will misuse it. And even if you will be the only user, can you really be sure that you will remember the way you wrote the app 5 years from now?
You can tell the user things like:
- Use a strong password
- Don't bookmark certain pages
- Make sure you use HTTPS
- Always go to this page first
- Remember to delete your cookies
- Don't let your laptop get stolen because it has sensitive data on it
- Or any other thing you need to tell the user to remember
If your application's security is not seamless to the end user, then it is your application's behavior that needs to change, NOT the end user. For example, your application needs to
- Ensure the user is using a strong password (and that the password is properly stored and rotated)
- Make sure that access control properly routes the user to a login page if they are not logged in. Do not rely on the user going directly to the login page
- Reroute requests that do not use HTTPS to a request that does
- Encrypt sensitive data
- and anything else that is required for the application to achieve a secure state.
Do not put the responsibility of application security onto the end user. It is foolish, unnecessary, and irresponsible. AND it won't work.