Security Tip: User Education Doesn't Work

So let's be honest. Users are users. If they knew what they were doing, we would not need to grumble about them and make fun of them under our breath. But they don't know what they are doing. And they never will. NEVER.

Trying to secure your application through user education can never work. If someone other than you, the developer, will ever use your application, you can assume they will misuse it. And even if you will be the only user, can you really be sure that you will remember the way you wrote the app 5 years from now?

You can tell the user things like:

  • Use a strong password
  • Don't bookmark certain pages
  • Make sure you use HTTPS
  • Always go to this page first
  • Remember to delete your cookies
  • Don't let your laptop get stolen because it has sensitive data on it
  • Or any other thing you need to tell the user to remember

If your application's security is not seamless to the end user, then it is your application's behavior that needs to change, NOT the end user. For example, your application needs to

  • Ensure the user is using a strong password (and that the password is properly stored and rotated)
  • Make sure that access control properly routes the user to a login page if they are not logged in. Do not rely on the user going directly to the login page
  • Reroute requests that do not use HTTPS to a request that does
  • Encrypt sensitive data
  • and anything else that is required for the application to achieve a secure state.

Do not put the responsibility of application security onto the end user. It is foolish, unnecessary, and irresponsible. AND it won't work.

Comments
Ben Nadel's Gravatar While I agree with all of this, sometimes I wish sites would let me be a bit more sloppy with my password. And by sloppy, I mean that sometimes I dont want to use a password that has at least two numbers, two uppercase letters, and two lowercase letters and at least one funky character :)

Sometimes, password strength is too strictly enforced from a user perspective.
# Posted By Ben Nadel | 7/6/09 2:08 PM
Jason Dean's Gravatar @Ben, I absolutely agree. One thing that I think confuses a lot of developers and holds them up is figuring out how much security to add.

I think there is the idea out there that every site needs to have every security countermeasure to be considered secure. But this is just not the case.

I like to think of it by saying: Do you need a $20,000 safe to protect your piggy bank? Do you need an armed guard to protect your car while you are eating in a restaurant? Of course not. But these things are possible, so why not?

The thing to keep in mind is what is sometimes referred to as the security policy of your site. The security policy of your site is what determines what "secure" is. Not every account on every site needs to be protected by the super-secret, super-secure password.

I will have some more on this topic in the near future.
# Posted By Jason Dean | 7/6/09 2:37 PM
BlogCFC was created by Raymond Camden. This blog is running version 5.9.1. Contact Blog Owner