| > Anytime you sacrifice security for convenience or simplicity, you lose. No, you don't. And it's exactly this kind of black and white, all or nothing thinking that has hampered the success of the security community for decades. Security folks, for obvious reasons, are only ever thinking about user scenarios where active security is needed. Scenes involving rubber hoses, angry cops, jealous spouses, competing corporations, etc. Those scenes matter, but they are a very small fraction of most users lives'. Users are not stupid. When they reason about security, they think about all of the scenarios in their life. And, for every time they get picked up by the secret police and would be really glad they picked a 14-digit alphanumeric passcode, they know there are a million more times where they wanted to take a picture of that cute thing their kid is doing right now and don't want to spend the time unlocking the phone. That is a real win in the user's mind. And those many small conveniences and joys are a huge part of the equation of their life. Well-designed systems give users good security by integrating into their whole life, not just the idealized nefarious circumstances security folks spend all day thinking about. If you make your security too annoying, users will route around it, and now they have no security. |