​NIST: Given up on unique passwords? You suffer from "security fatigue"

People can’t cope with the amount of security decisions they face today and it’s driving them to ignore security altogether, according to a new US government study.

If you don't choose unique passwords for each site or simply avoid sites that require jumping through security hoops, you're showing symptoms of “security fatigue”, according to a team computer science and cognitive psychologists at the US National Institute of Standards and Technology (NIST).

A new study by NIST found that people are suffering from an overload of security information. As a result, they're not bothering with recommended security precautions. The cause and effect is security fatigue, or a “a weariness or reluctance to deal with computer security”, according to NIST.

“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” NIST computer scientist and co-author Mary Theofanos said.

“Years ago, you had one password to keep up with at work,” she said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”

The team interviewed 40 people from a range of professional backgrounds, aged between 20 and 70. They found many of them felt overwhelmed by pressure to be vigilant about security threats and understand finer points of online security.

One subject said about computer security: “I don’t pay any attention to those things anymore…People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Respondents reported feeling a sense of “dread”, “resignation” and “loss of control”.

The researchers argue designers to grasp security fatigue because the behavior of cyber weary citizens affect the nation's cyber resilience, from workplace security, to online banking, commerce and health.

“If people can’t use security, they are not going to, and then we and our nation won’t be secure,” NIST cognitive psychologist and co-author Brian Stanton said.

Sources of fatigue included remembering usernames and passwords, remembering PIN numbers, and adding more security measures to access an account.

Going by these findings, fatigue may be why it’s difficult to convince people to enable two-factor authentication where it's available, even after major password leaks expose users to a greater risk of hijacking.

Theofanos said developers haven’t considered the user in the security equation.

The researchers' recommend developers limit the number of security decisions users need to make, and make it easy to choose the right security action, while also providing consistency to the user. While that may seem straightforward it could be difficult to crack collectively without industry-wide standards.

The message however likely won't be lost tech giants, which have often been the source of security fatigue as well as solutions, even if they aren't always consistent. Apple's iPhone TouchID fingerprint authentication, for example, can help reduce login friction for online banking, but it's also a competitive advantage linked to its hardware.

Microsoft studied how people responded to its User Account Control in Windows Vista after widespread complaints it triggered too many prompts. Microsoft found users suffered “click fatigue” for anything beyond two alerts per session and toned the feature down in Windows 7.

A recent BYU study with Google’s Chrome engineers also found 90 percent of important security messages are ignored if they arrive at the wrong times because most humans are terrible multi-taskers. If the subjects were distracted by an alert while working on a primary task, they would ignore the alert. The researchers criticized software developers for “categorically” presenting alerts without considering what the user is doing at the time.

Another study by the Norwegian Centre for Information Security published last week on cyber-security culture illustrated the challenges that personal security habits pose to national cyber resilience.

Password managers could help people deal with an overload of online credentials, but the study found that only nine percent of over 8,000 respondents used them. A quarter of respondents also had no idea whether their software was up to date.

Still, Norwegians might not be as fatigued as those in NIST's research, with 61 percent saying they used different passwords for each online account.

Join the CSO newsletter!

Error: Please check your email address.

Tags password securityMicrosoftcyber resilienceNISTWindowsStrong Passwordspassword protectioncyber security

More about AppleGoogleMicrosoftTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

More videos

Blog Posts