This website was archived on July 21, 2019. It is frozen in time on that date.

Sonya Mann's active website is Sonya, Supposedly.

Behavior Design: Teaching Your Users Security

I presented this talk at CodeConf LA in June, 2016. The full slides are available on their own as a PDF, but the most relevant ones are included in the post below.


Hi, my name is Sonya Mann. I’m a tech enthusiast, freelance word person, and user of many websites, apps, and software products. This talk is aimed at people who make websites, apps, and software products. It’s about how you can nudge your users toward better security habits.

Forewarning: I’m going to use passwords as an example quite a bit, because they’re the most common security credential that regular users handle and control, but this way of thinking about things is not limited to passwords. Now let’s dive right in!

Behavior Design: Teaching Your Users Security

You may already know this, but typical users have bad security habits. It’s not because they’re stupid or lazy, but because they have different priorities. Most people aren’t judged at work or in their personal life by their password hygiene. And if they haven’t personally experienced an account takeover or identity theft, they’re not on high alert.

If you’re a quote-unquote “normal person” — sometimes we call them “non-technical people” or “people who aren’t paranoid hackers” — if you’re that kind of person, strong security habits don’t necessarily feel like they’re worth the hassle. Just in case you don’t believe me, I want to show you some stats.

password habits and password manager usage stats

SplashData is a password manager company that conducts an annual analysis of commonly used passwords. For the past five years straight the most popular passwords have been the number string “123456” and the word “password”. I find it disturbing that any application allows users to choose either of those values as their password!

In the same vein, last year RoboForm, another password manager company, commissioned a survey of 1,000 people in the US and UK about their password practices. Only 8% of respondents said they used a password manager. Compare that to the 23% who said they always use the same password.

Furthermore, I contacted the makers of the two most popular password managers, 1Password and LastPass. The 1Password team said they have unspecified millions of users, and LastPass’ spokesperson told me that they have eight million users. So let’s guesstimate, generously, that twenty million people use password managers. That would only be 6% of America’s 2014 population — and the world is a lot bigger than America. So there is plenty of room for improvement here. Especially since passwords are only the most obvious credential!

One of the most visible types of problems that people’s poor security habits cause is the account takeover. If you’ve ever worked support, you’ve probably had to deal with these. Mistakes that lead to these issues are not limited to the “normal people” I mentioned in the beginning.

Continue reading “Behavior Design: Teaching Your Users Security”

Computing for Fun, Profit, & Mayhem

Internet Riot Police by Surian Soosay.
Internet Riot Police by Surian Soosay.

Brian Krebs, an investigative reporter who covers cybercrime, made this comment in his Reddit AMA last month:

“Whether we’re talking about security or some other beat, the most interesting stories are those that are essentially stories about people — who they are, their experiences, and their weaknesses and failings, etc. Most failures in cybersecurity are not failures in the technology, per se, but in the way the tech is implemented or not. […] Sure, there are software and hardware vulnerabilities, but from my perspective the vast majority of data breaches succeed because they exploit the person behind the keyboard, as well as organizational lethargy, disorder, neglect or incompetence.”

Yesss. I wrote a while ago that “Tech Is Only Awful Like People Are Awful”, and a related hypothesis is that tech is only interesting like people are interesting. Some readers and consumers love gadgetry for the sake of it, but I’m definitely more intrigued by the socioeconomic and/or sociopolitical machinations behind the scenes.

Stories about how humans make, use, and misuse computers are really just stories about how humans stumble through the world, bashing into every obstacle we possibly can.

Sign up for my newsletter to stay abreast of my new writing and projects.

I am a member of the Amazon Associates program. If you click on an Amazon link from this site and subsequently buy something, I may receive a small commission (at no cost to you).