Security and Usability

Blog Post created by merpa06 Employee on Sep 19, 2017

I recently came across the below facts -

  • An average company of 500 Employees, looses close to quarter million dollars of employee productivity annually around resetting forgotten passwords.
  • 20-50% of all Enterprise helpdesk calls are password related, with the time spent on resolving these issues ranging from between 2 and 30 minutes. With a net cost overall operations per password reset being around $50.
Collectively, we humans spend the equivalent of more than 1,300 years each day typing passwords around the world. 
While there are few scenarios which lead to the user forgetting his/her password. The password complexity rules imposed by the password policies are a key factor. That is where things get interesting. It turns out that the Security professional from National Institute of Standards and Technology, who constructed the rules around user passwords requiring the usage of an upper case letter and special character passwords that you forget all the time was pretty much guessing, and he guessed wrong.
Technology is of such scale in current times that a bad recommendation like that is responsible for about 10 full human lives being wasted every day. Yet, its rare that things like these are debated (or) questioned by Security professionals.
In corporate context, every time such a discussion come up, it ends up being a debate between security and usability/ease of use where the Enterprise Info-sec groups and the security champions of the company are quick to point out that it is always a trade-off and you HAVE to compromise some level of usability to for optimum security. While this trade-off was true in the early stages of technology, emerging technologies and evolution of the internet landscape definitely make a case for us to revisit this often quoted trade-off and look at design principles for building security systems from a fresh pair of eyes.  Security and usability (not) Security vs usability should be the new lens through which things should be looked at.
While the industry is gradually working it's way towards password-less security systems, little changes like this that save us time and minimize distractions actually improve the quality of our life more than we would imagine.
Disclaimer: This is a personal blog. Any views or opinions represented in this blog are personal and belong solely to myself and do not in any shape or form represent those of CA technologies or any other institutions i am associated with, unless explicitly stated.
Paul VK Merugu
CA Professional Services - North America