Thursday, June 26, 2014

The only secure password is the one you can’t remember. (Troy Hunt)

I have long had an intense love/hate relationship with security folks.  Originally, they were the trolls who somehow or other got in the way on every log in or sign up sequence I ever worked on.  Kind of like Dilbert’s famous Mordac character:


(The “squeal like a pig” quote here is what really makes this one.)

A few years ago, I ended up seated next to my company’s security group.  Turns out that they were regular people after all, and we ended up having a great relationship.  I walked away with a lot of knowledge about and an appreciation for security issues, and they learned a thing or two about usability.

One of the first reports I did for them included the following graph, pretty much as a joke:


Get it?  As security goes up, usability goes down.  As well as all the other corollaries this graph implies.

As it turned out, this graph turned out to be a pretty effective way to think about each new wrinkle the security folks wanted to introduce.  What we were trying to hit was that point where the two lines intersect – the happy medium between security and usability.  We actually started to think of it more like this:


What we tried to do here was come up with something that got us in that top right box.  And if we didn’t, we had to think hard about what was preventing us from getting there, how to get there, and whether that particular solution would ever get us there or should simply be scrapped.  We also had to assiduously avoid the lower left hand box and, if we ended up in the other two boxes, think long and hard about whether we were really comfortable there.

It also got us both thinking outside of our own little boxes.  Personally, I now look forward to security work.  Instead of making me simply throw up my hands and run away, security just seems to add a little extra challenge that can be a lot of fun.

No comments:

Post a Comment