So begins a quote we use in our Introduction to System and Network Security course. Too often we view security as an afterthought – something to add to our network or organization. We talk about hardening systems to mean making them more secure. This is totally a backwards approach. We need to consider security and secure design throughout the entire process. Why don’t we?
I see three big reasons (and there are surely others) behind this: 1) we didn’t consider security in the designs years ago and got into the bad habit of not doing so now; 2) we don’t teach security in (say, software) design in colleges or high schools so students don’t think it is important; and 3) it is generally easier to sell products that are easier to use than those that are secure.
Let’s look at number three for now. Think about going to the store to buy a new version of your operating system. The vendor has two boxes one labeled “New version – easy to use” another is labeled “New version – harder to use, but way more secure”. Which one do you choose? Well the first, of course. And clearly no marketer would do the second. In fact, terms like “plug and play”, quick configure” and so forth are aimed at selling products for the less technical. And that can be good.
Security could be a good marketing point, too. The sad thing is, most users believe (mostly correctly) that secure configuration of their hardware and software is difficult and makes it more difficult to use. Vendors need to change both the perception and the reality. One thing they can do is make secure configuration easier than insecure configuration. Simply by requiring passwords for accounts and then generating secure passwords would probably be a good first step.
One problem with generated passwords is that they are ugly and long. Even twenty characters of random numbers and mixed upper- and lowercase letters can be intimidating. Adding a few special characters makes it look quite off-putting to the novice user. They can’t remember it and may not have a thumb drive to stick it on (or even know how). A wireless router password based on a user-entered phrase might be more acceptable and, while maybe a bit less secure than the random characters, reasonable enough to protect most users. Is ‘##I eat all my758peaS!’ that easy to guess? It is sure easier to write down and keep in a secure place.
Of course, thee is far more to consider than just passwords. I’ll address some of those in upcoming posts.
What do you think? How can we make secure configuration more palatable for users?