Irving Street Functionality

This is supposed to be a blog.

recent posts
posted 30 Jan, 2022

Users are not the enemy; 1999

author Anne Adams and Martina Angela Sasse
title Users are not the enemy
howpublished Commun. ACM 42
year 1999
month December

This paper explores the interplay between user password practices and institutional password policies in the 1990s. The authors observe that the relationship between individuals (employees) and employing institutions concerned about security tended to be adversarial, and this distrustful relationship exacerbated insecure practices. It was commonly assumed at the time that end-users were lazy, error-prone, and inherently inclined toward insecure practices; the authors concede that many users were ignorant about security risks and threats, but find that many of the concerning behaviors (e.g. writing passwords on sticky notes) were caused by the institution’s own security practices. The authors dispute the idea that users are unmotivated or unmotivatable vis-à-vis security; their survey respondents are eager to use security practices if


This article clearly shows it’s age, and this is a good thing. I clearly remember when these issues were pressing institutional concerns and frequently debated. Knowledge about the interplay between usability and security is now baseline* among security professionals. Many of the authors’ recommendations have become standard practice, and in general the usability of modern authentication systems has improved to the point where other of the recommendations (e.g. shared passwords for work that is done as a team) are no longer relevant.

* I do not mean universal.