Questions tagged [usability]
31 questions
1268
votes
22 answers
XKCD #936: Short complex password, or long dictionary passphrase?
How accurate is this XKCD comic from August 10, 2011?
I've always been an advocate of long rather than complex passwords, but most security people (at least the ones that I've talked to) are against me on that one. However, XKCD's analysis seems…
Billy ONeal
- 2,688
- 4
- 15
- 15
89
votes
16 answers
How to tell users that they shouldn't disclose their password over the phone to our help desk?
I work for a help desk, and we recently launched an online service where our members can log in.
A problem we are having is that users who are calling us often ask us to confirm that the password handed in to them is correct. By doing so, they…
Terry
- 1,125
- 1
- 9
- 16
58
votes
7 answers
Are there security advantages gained from forcing a website to be available from just one tab at a time?
I just found that a website of one Polish bank forces the users to open it in one browser tab only. You cannot for example check your transfer history while looking for an account number that you want to send money to. I cannot think of any good…
d33tah
- 6,524
- 8
- 38
- 60
34
votes
4 answers
Is it safe to show users why their password is not allowed?
/////////////////////////////// Updated Post Below ////////////////////////////
This question has received a lot of hits, more than I ever thought it would have on such a basic topic. So, I thought I would update people on what I am doing. Also I…
Rixhers Ajazi
- 489
- 4
- 9
32
votes
8 answers
How to generate easy to type passwords without sacrificing security?
How can one generate a password that is easy to type but does not sacrifice security? An example of a password that is easy to type but sacrifices security (I imagine) would be qwe123!@#.
For this question, we'll use a pretty lax but standard…
Pants
- 431
- 1
- 4
- 6
32
votes
7 answers
Explain to non tech savvy person how to check that your connection to mybank.com is safe?
I was reading the security advice given by the Swedish Bankers' Association. They included these two pieces of advice (my translation), that I assume is to teach the user to check for SSL/TLS and protect from SSL-strip:
Check that it is the…
Anders
- 64,406
- 24
- 178
- 215
19
votes
5 answers
From a security standpoint should users be asked to confirm their password when registering?
Is it advisable to have users re-type their password to confirm it's correct? On User Experience the general consensus seems to be no but I'm wondering if this has security ramifications?
EDIT: my two-cents is wouldn't that lead some users to feel…
Celeritas
- 10,039
- 22
- 77
- 144
18
votes
5 answers
Is client side encryption really better than server side?
Web application may encrypt all user data at client side to convince users that it can't decrypt them.
When user enters password, it's used to encrypt data in browser and then it's sent to server in encrypted state. Server doesn't know password,…
Andrei Botalov
- 5,267
- 10
- 45
- 73
17
votes
3 answers
Should I reject obviously poor passwords?
UPDATE: My questions and concerns below boil down to: "Should I reject obviously poor passwords like 'hellomydarling' or 'password'? My guess is yes and I want to know to what extent. I'm using a password strength estimator to assist with that.
I…
Niictar
- 307
- 2
- 7
14
votes
3 answers
In what cases can overly strict security policies be detrimental to organisations?
In a philosophical sense is heterogeneous security, a system where people are given more autonomy, better than security policies/procedures written in stone?
I've worked at some companies where office politics were so strong and everyone was so…
Celeritas
- 10,039
- 22
- 77
- 144
11
votes
3 answers
Should the password field be cleared after an unsuccessful login attempt?
Let's assume following workflow for logging in
a) On a device with keyboard:
I type my username and password
Press enter
[realization] I made a typo
Password field is cleared: not a big deal, I can type reasonably quick
b) On a device with…
Mars Robertson
- 555
- 4
- 14
8
votes
2 answers
What's a good time period before refreshing CSRF token of the user session?
I am using a form token to prevent CSRF attacks. Those tokens are stored and tied to a user's session. Now I want to refresh the token only every N minutes or hours so that the user's don't experience any usability issues like the browser Back…
Kid Diamond
- 377
- 3
- 13
6
votes
3 answers
Jump Servers for security
In my network, I have the clients directly connected to the server; but in the new PCI policies, they required to use jump servers.
What is the advantage of using jump servers for security reasons?
How can I use two-factor authentication with jump…
Hamawand
- 89
- 1
- 1
- 5
5
votes
4 answers
Contact person by phone, when their phone might have malware
I have a problem setting where I want to contact a user by phone, and where I need to protect the integrity of the phone call as much as possible. I'm wondering about how to design the interaction in a way that best achieves this.
I am worried…
D.W.
- 98,420
- 30
- 267
- 572
5
votes
1 answer
Can skeuomorphic UI design create security vulnerabilities?
Skeuomorphic design is common in desktop computer and mobile telephone applications. Sometimes interfaces and cues from the real world are used to good effect (swiping to move backwards and forwards in a eBook) and sometimes to terrible effect…
Cybergibbons
- 1,191
- 2
- 8
- 21