Safe passwords shouldn’t require people to have a PhD in computer science

The recent news that the FBI is stepping up its investigation into Hillary Clinton’s use of a private email server is sure to please opponents of the Democratic presidential candidate. But politicians across the political spectrum have used personal email accounts to conduct official government business, including Martin O’Malley, Sarah Palin, Mitt Romney and Jeb Bush.

 Why are so many politicians turning to personal email in the first place?  This trend may justifiably raise concerns about transparency and legality. But why are so many politicians turning to personal email in the first place? It could be that usability issues are driving our public officials and their subordinates to use personal accounts.

When security measures backfire

Stricter security policies can actually lead to worse overall security in practice. For example, a company might require its employees to have longer passwords that expire every 60 days. But this makes it harder for employees to remember how to log in. To cope with this burden, they start writing down passwords on Post-It notes and just change one character in a password at a time—for example, going from “my#Passwd1” to “my#Passwd2.”

 Circumventing security is an everyday activity for many health-care professionals just to get their work done. These workarounds are quite common. Circumventing security is a normal and everyday activity for many health-care professionals just to get their work done, researchers at University of Pennsylvania, Dartmouth College, and University of Southern California concluded after conducting interviews with and field observations of clinicians. Workers in one hospital unit simply taped passwords onto medical devices. Researchers also found a supply room in the emergency room with the lock code written on the door, to make sure that it would always be accessible in urgent situations.

Administrators in a different hospital had installed proximity sensors onto computers that would automatically log people out if they wandered far enough away. But this had the unfortunate side effect of logging doctors out whenever they turned away from the computer to talk to patients. So the doctors simply put Styrofoam cups over the sensors to avoid having to repeatedly log in.

 Overly restrictive security policies are one reason why people use personal email accounts at work Such findings suggest that overly restrictive security policies are one possible reason why some people use personal email accounts at work. These same restrictions can also make it hard to collaborate with others to get work done.

I’ve met many people both in the public and private sectors whose work emails do not allow them to use file-sharing systems like Dropbox, Box, and Google Drive, which makes sharing files a headache. I’ve also had emails bounce back because the receiver’s organization didn’t allow zip files to be sent as attachments.

But people will find workarounds just so they can do their job. For instance, one time I sent a person a web link to a Dropbox file, but it was blocked at his company. He just forwarded the email to his personal account, downloaded it when he got home, and then copied the file to his work laptop.

Software from the dark ages

Many workers who handle sensitive information are also required to use older and clunkier versions of software. For example, back in 2008, I visited several government agencies and was surprised to learn that they were still using Microsoft Internet Explorer 5, which at that point was about nine years old and two versions behind. Such issues are so painful that, during a State Department town hall meeting back in 2009, one employee received applause after asking Hillary Clinton if they could use the Firefox browser instead of the out-of-date browser they were required to use.

 Many workers who handle sensitive information are also required to use clunkier versions of software. Many organizations stick with using older software primarily because they know that it works. Switching to new software means testing all of the organization’s older software for compatibility, updating documentation, teaching employees about new features, training help-desk personnel so that they can field inevitable questions about the software, and figuring out how to deploy the software to thousands of machines. In some cases, IT departments also have to vet the software to make sure that there aren’t any new security holes, and check for Section 508 compliance to ensure that people with disabilities can use the software.

These requirements make many organizations slow and rigid. Yet people know that better software exists, because they use it at home. The problem is exacerbated for younger workers, who are used to flexible computer environments, open internet access, and fluid communications. Given this kind of computing landscape, it’s no surprise that some public officials opt to duck the rules and use their personal email for official work.

I need to carry how many devices?

On her home page, Hillary Clinton claims that she had a single email account for convenience, making it easier to keep in touch with friends and family as well as keep up with work all in one place. I can sympathize: I actually have all of my email directed to a single email account for pretty much the same reason. In the past, when I had multiple email accounts, I found that I often neglected some by checking them less often, and also made errors by sending emails from the wrong account.

 Pity the real-life James Bonds. But there’s another reason for wanting to have a single email account, which is that you don’t have to carry as many devices. Many people carry their personal phone in addition to one issued by their employer, since their organization doesn’t allow personal devices to access their network. Even worse, they probably have different user interfaces for email, adding to the burden of keeping up to date on one’s messages. Given this context, I’m pretty sure most people would opt to carry just a single device if they could.

It’s worth noting here that many people working for three-letter agencies have it even worse, sometimes regularly carrying two laptops: one for classified work and the other for everything else. I’d be willing to bet that there is some poor soul who carries three laptops, one for unclassified work, one for secret work, and one for top-secret work. Pity the real-life James Bonds.

We like what we know

While some people actually want the latest versions of software, others just want to have access to the familiar user interface that they already know how to use. New user interfaces can bring a great deal of uncertainty and frustration, because things that were once familiar and easy are now confusing and hard. That’s why every time a major website moves a button, renames a link, or changes an icon, they get a raft of complaints from people who were used to the old interface—even if multiple user tests indicate that the new interface will work much better.

 Every time a major website moves a button or changes an icon, they get a raft of complaints. The problem is worse for people who are strapped for time. If you’re already juggling a dozen different urgent tasks, do you really have time to learn a new user interface?

This explains why CIA director John Brennan was using AOL email in the first place. Fortunately, he didn’t seem to have any government documents in his account, but the big surprise for many people was that he was still using an unfashionable AOL account. Odds are that Brennan’s account was set up many years ago, and he simply didn’t feel that he had time to learn a new user interface or go through the hassle of setting up another account and moving his emails over. The same is probably true for many other public officials, leading some to just stick with the personal email accounts that they have been using for years.

Toward a user-friendly future

Security often seems diametrically opposed to usability, particularly when it comes to workers dealing with sensitive information. Fortunately, an emerging field of research called usable security is exploring how to make security work for people who don’t have PhDs in computer science.

Usable security draws on theories and methods from psychology, interaction design, human-computer interaction, economics, and computer science to gain a deeper understanding of barriers to secure systems and how to design better systems that work well in practice. These include using methods from social psychology to get people to adopt better security measures, analyzing why laypeople are afraid of important security measures like software updates, and probing why people find smartphone permissions that notify users of the risks of installing certain applications so confusing. But until usable security takes hold, we shouldn’t be surprised if we keep learning about top government officials loyal to AOL.

We welcome your ideas at ideas@qz.com.

home our picks popular latest obsessions search