| author | Anne Adams and Martina Angela Sasse |
| title | Users are not the enemy |
| howpublished | Commun. ACM 42 |
| year | 1999 |
| month | December |
| url | https://doi.org/10.1145/322796.322806 |
This paper explores the interplay between user password practices and institutional password policies in the 1990s. The authors observe that the relationship between individuals (employees) and employing institutions concerned about security tended to be adversarial, and this distrustful relationship exacerbated insecure practices. It was commonly assumed at the time that end-users were lazy, error-prone, and inherently inclined toward insecure practices; the authors concede that many users were ignorant about security risks and threats, but find that many of the concerning behaviors (e.g. writing passwords on sticky notes) were caused by the institution’s own security practices. The authors dispute the idea that users are unmotivated or unmotivatable vis-à-vis security; their survey respondents are eager to use security practices if
This article clearly shows it’s age, and this is a good thing. I clearly remember when these issues were pressing institutional concerns and frequently debated. Knowledge about the interplay between usability and security is now baseline* among security professionals. Many of the authors’ recommendations have become standard practice, and in general the usability of modern authentication systems has improved to the point where other of the recommendations (e.g. shared passwords for work that is done as a team) are no longer relevant.
* I do not mean universal.