A better way to think about passwords

Robert J. Hansen rjh at sixdemonbag.org
Thu Apr 21 14:38:38 CEST 2011

> In short: don't force a particular strategy on your users.  Much
> better to explain to users the general problem, and then leave it up
> to them to pick a password.

Historically speaking, this has shown not to work.  I'll try to dig up the HCI references if people really want, but the gist of it is people don't want to have to learn and understand: they just want to get their work done.  The instant you make compliance voluntary and education-based, the vast majority of users say "meh" and choose "password" as their login credential.

The belief that security problems can be solved by educating users is a common one: it is also a deluded one.  It handwaves the very serious problem of most users not wanting to be educated and being actively hostile to it.  "Why do I have to learn all this propellerheaded geek stuff?  I just want to get my work done!"

More information about the Gnupg-users mailing list