Passwords and Careless Users

A story from Network Security: Private Communication in a Public World by Kaufman, Perlman and Speciner.

At a lecture on computer security, a professor asked, “Are there any advantages of passwords over biometric devices?” A helpful student replied “When you want to let someone use your account, with a password you just give it to them, while with a biometric device you have to go with them until they are logged in.” This is the sort of remark that sends chills down the back of security administrators and makes them think of their users ad adversaries rather than the customers they are trying to protect.
Security people need to remember that most people regard security as a nuisance rather than as needed protection, and left to their own devices they often carelessly give up the security that someone worked so hard to provide. The solution is to educate users on the importance of security, helping them to understand the reasons for the procedures they are asked to follow and making those procedures sufficiently tolerable that they don’t develop contempt for the process.