« NewsForge is the Latest Site to Criticize WAP | Main | VMware Reveals its Server Strategy »

Useit.com Suggests a Balance Between Security and Usability

Jakob Nielsen wrote an excellent piece called Security & Human Factors for his Alertbox series. In it he points out many of the obvious problems with password-based security systems in general, and the security provisions imposed by corporate IT departments in order to minimize the risk of password misappropriation in particular.

Things like minimum password length, denial of password reuse, and short password lifetimes almost guarantee increased technical support costs due to end-user confusion.

CTDATA increased security on many of our systems last year, and our experience is that the increase in support costs has greatly exceeded the increase in overall system security. If we had to do it over again, we would have sought a different solution.

We think the best security systems ask the user to provide either:

  • more than one piece of personally identifying information that cannot be provided without access to multiple personal identity documents, or
  • user-supplied questions and answers that allow a Web application to identify a user with 90 to 95 percent certainty (example: What's your favorite color?)

Security mechanisms as simple as these can be implemented if authentication failures are being logged and analyzed in real time.

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)


CTDATA Venutures (CTDATA) develops Internet and Intranet applications for corporations and non profit organizations. Our services include:

  • Consulting services for Movable Type and TypePad-based publishing systems (visit our Weblog Improvement website for more information),
  • Financial services business process consulting,
  • Content management system and knowledge management system consulting,
  • Apache web server engineering and hosting,
  • MySQL, Sybase, and Microsoft SQL Server architecture and development,
  • SOAP, REST, and XML-RPC system architecture and programming, including Amazon Web Services and
  • Weblog publishing.
For more information, contact Dave Aiello by email at dave [at] daveaiello.com or call him at +1-267-352-4420.
Copyright © 1995-2010, CTDATA Ventures. All Rights Reserved.
Powered by
Movable Type 4.25