​NIST: Given up on unique passwords? You suffer from "security fatigue"

People can’t cope with the amount of security decisions they face today and it’s driving them to ignore security altogether, according to a new US government study.

If you don't choose unique passwords for each site or simply avoid sites that require jumping through security hoops, you're showing symptoms of “security fatigue”, according to a team computer science and cognitive psychologists at the US National Institute of Standards and Technology (NIST).

A new study by NIST found that people are suffering from an overload of security information. As a result, they're not bothering with recommended security precautions. The cause and effect is security fatigue, or a “a weariness or reluctance to deal with computer security”, according to NIST.

“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” NIST computer scientist and co-author Mary Theofanos said.

“Years ago, you had one password to keep up with at work,” she said. “Now people are being asked to remember 25 or 30. We haven’t really thought about cybersecurity expanding and what it has done to people.”

The team interviewed 40 people from a range of professional backgrounds, aged between 20 and 70. They found many of them felt overwhelmed by pressure to be vigilant about security threats and understand finer points of online security.

One subject said about computer security: “I don’t pay any attention to those things anymore…People get weary from being bombarded by ‘watch out for this or watch out for that.’”

Respondents reported feeling a sense of “dread”, “resignation” and “loss of control”.

The researchers argue designers to grasp security fatigue because the behavior of cyber weary citizens affect the nation's cyber resilience, from workplace security, to online banking, commerce and health.

“If people can’t use security, they are not going to, and then we and our nation won’t be secure,” NIST cognitive psychologist and co-author Brian Stanton said.

Sources of fatigue included remembering usernames and passwords, remembering PIN numbers, and adding more security measures to access an account.

Going by these findings, fatigue may be why it’s difficult to convince people to enable two-factor authentication where it's available, even after major password leaks expose users to a greater risk of hijacking.

Theofanos said developers haven’t considered the user in the security equation.

The researchers' recommend developers limit the number of security decisions users need to make, and make it easy to choose the right security action, while also providing consistency to the user. While that may seem straightforward it could be difficult to crack collectively without industry-wide standards.

The message however likely won't be lost tech giants, which have often been the source of security fatigue as well as solutions, even if they aren't always consistent. Apple's iPhone TouchID fingerprint authentication, for example, can help reduce login friction for online banking, but it's also a competitive advantage linked to its hardware.

Microsoft studied how people responded to its User Account Control in Windows Vista after widespread complaints it triggered too many prompts. Microsoft found users suffered “click fatigue” for anything beyond two alerts per session and toned the feature down in Windows 7.

A recent BYU study with Google’s Chrome engineers also found 90 percent of important security messages are ignored if they arrive at the wrong times because most humans are terrible multi-taskers. If the subjects were distracted by an alert while working on a primary task, they would ignore the alert. The researchers criticized software developers for “categorically” presenting alerts without considering what the user is doing at the time.

Another study by the Norwegian Centre for Information Security published last week on cyber-security culture illustrated the challenges that personal security habits pose to national cyber resilience.

Password managers could help people deal with an overload of online credentials, but the study found that only nine percent of over 8,000 respondents used them. A quarter of respondents also had no idea whether their software was up to date.

Still, Norwegians might not be as fatigued as those in NIST's research, with 61 percent saying they used different passwords for each online account.

Join the CSO newsletter!

Error: Please check your email address.

Tags password securityMicrosoftcyber resilienceNISTWindowsStrong Passwordspassword protectioncyber security

More about AppleGoogleMicrosoftTechnology

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Liam Tung

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place