Despite a brief flirtation with American Football in the 90’s, I’ve never been able get on with American sports. They are just well… a bit dull. Despite my indifference to the sports themselves, their terminology – and specifically “three strikes and you’re out” – has impacted my life and yours in a surprising way.
Locked out
During an average day we login to computers both at home and at work many, many times. Each time we’re threatened, for the good of security, with being locked out of our accounts. But why do we get three attempts? Why not two or five or even ten? Well – I’m sure you can see where I’m going with this – three strikes and you’re out! That’s truly how brainless security folk can be. Denying users access to services and systems that are vital to their jobs as a result of a crude analogy with baseball.
Brostoff and Sasse
Brostoff and Sasse [1] report that users don’t completely forget passwords but instead confuse them with other passwords, don’t recall them with 100% accuracy or simply mistype them. With this in mind, they found that by increasing the number of retry attempts from 3 to 9, improved successfully logins from 54% to 93%.
Brostoff and Sasse’s introduction of science and sanity into usable security is of course a great thing. But has the world changed in the thirteen years on from their findings? No. In my last job I had accounts on Unrestricted, Restricted and Secret networks. All locked users out on three failed attempts to authenticate yet clearly the risks to these networks were radically different.
Although the lack of science is computer security, and usable security specifically, is alarming (at least to me) it is also only part of the problem. To get usable security in the hands of the users that are crying out for it we must change the behavior of sysadmins and the way that security risks are managed. I’m not sure how to do that but I’m thinking about it…
[1] Sacha Brostoff and Angela M. Sasse, “Are Passfaces more Usable Than Passwords? A Field Trial Investigation”, Proeceedings of HCI 2000
You must log in to post a comment.