This website was archived on July 21, 2019. It is frozen in time on that date.

Sonya Mann's active website is Sonya, Supposedly.

Behavior Design: Teaching Your Users Security

I presented this talk at CodeConf LA in June, 2016. The full slides are available on their own as a PDF, but the most relevant ones are included in the post below.


Hi, my name is Sonya Mann. I’m a tech enthusiast, freelance word person, and user of many websites, apps, and software products. This talk is aimed at people who make websites, apps, and software products. It’s about how you can nudge your users toward better security habits.

Forewarning: I’m going to use passwords as an example quite a bit, because they’re the most common security credential that regular users handle and control, but this way of thinking about things is not limited to passwords. Now let’s dive right in!

Behavior Design: Teaching Your Users Security

You may already know this, but typical users have bad security habits. It’s not because they’re stupid or lazy, but because they have different priorities. Most people aren’t judged at work or in their personal life by their password hygiene. And if they haven’t personally experienced an account takeover or identity theft, they’re not on high alert.

If you’re a quote-unquote “normal person” — sometimes we call them “non-technical people” or “people who aren’t paranoid hackers” — if you’re that kind of person, strong security habits don’t necessarily feel like they’re worth the hassle. Just in case you don’t believe me, I want to show you some stats.

password habits and password manager usage stats

SplashData is a password manager company that conducts an annual analysis of commonly used passwords. For the past five years straight the most popular passwords have been the number string “123456” and the word “password”. I find it disturbing that any application allows users to choose either of those values as their password!

In the same vein, last year RoboForm, another password manager company, commissioned a survey of 1,000 people in the US and UK about their password practices. Only 8% of respondents said they used a password manager. Compare that to the 23% who said they always use the same password.

Furthermore, I contacted the makers of the two most popular password managers, 1Password and LastPass. The 1Password team said they have unspecified millions of users, and LastPass’ spokesperson told me that they have eight million users. So let’s guesstimate, generously, that twenty million people use password managers. That would only be 6% of America’s 2014 population — and the world is a lot bigger than America. So there is plenty of room for improvement here. Especially since passwords are only the most obvious credential!

One of the most visible types of problems that people’s poor security habits cause is the account takeover. If you’ve ever worked support, you’ve probably had to deal with these. Mistakes that lead to these issues are not limited to the “normal people” I mentioned in the beginning.

Continue reading “Behavior Design: Teaching Your Users Security”

When & Why to Pay for Free Information

It’s okay to pay for stuff that you could have gotten for free. Sometimes forking over your hard-earned cash is actually the optimal choice! It can save you time and frustration. The people who pay for freely available goods are people who understand the power of cost-benefit analysis. These people are business thinkers who take opportunity costs seriously. They always leverage comparative advantage.

Basically, the reason to pay for free information is the same reason why you might buy a sandwich from the deli instead of making your own. Buying the prepackaged version is easier, more convenient, and often more fun. If you’re low on time but have plenty of money — or at least enough money for the purchase you’re considering — then buying a ready-to-eat sandwich (or an instructional ebook, or a software service, etc) actually makes more sense than spending ten minutes slicing the cheese yourself.

Besides, someone who specializes in making pastrami sandwiches (or researching productivity techniques, or building time-tracking software) is likely better at it than you are. Paying them will not only save you time, it will also get you a better result than trying to roll your own solution.

Here are three things that I personally purchased in the past couple of months that I could have gotten for free:

  • $39.95 for an https certificate and installation thereof from A Small Orange. I could have spent a few hours figuring out Let’s Encrypt instead.
  • $79.98 for tax services from H&R Block. Is it possible to file your taxes without using software like this? Totally. Is it frustrating? Yes, to the extent that I would cry.
  • Any and all nonfiction books. The information that I want is out there on the internet, but it would take a lot of time and energy to assemble it into a coherent, readable format. Instead of skimming all of Brian Krebs’ articles about spam, I simply bought his book.

Amy Hoy addressed this phenomenon in a 2013 blog post:

Quote from Amy Hoy’s Unicorn Free.
Quote from Amy Hoy’s Unicorn Free.

When it comes to services in the professional sphere (as well some consumer goods), people will pay for three advantages:

  • more free time / less wasted time
  • more intellectual resources / less frustration
  • more money / fewer costs

The through-line here is efficiency. People will buy what you’re selling if you can help them get the same inputs to generate better or increased outputs. If you execute well enough, they’ll love you for taking their money!

So, in closing, why pay for free information? Because your time and energy are valuable. You deserve high-quality results.

No Such Truths Are Self-Evident

2018 update: I wrote this blog post in 2015. Some of my object-level positions have changed, but I still endorse the meta point about what “rights” are and where they come from.


Entitlement is the wrong framework for thinking about human rights. (To quote Frank Underwood in a completely different context, “Let me be clear: you are entitled to nothing.”) Human rights are not innate — they culminate from decisions that we make semi-collectively about the kind of government and society we want to have. I think this applies to the rights in America’s Bill of Rights and the United Nations’ Universal Declaration of Human Rights as well as various more prosaic rights.

For example, you do not “deserve” to earn a minimum wage simply by virtue of being born. However, if you are born in America and join the workforce at a certain point in time, our laws establish that you must be paid at least $7.25 per hour. This is a decision that we’ve made, although the process of getting there was complex. (To be clear, I do think having a minimum wage is good.)

Looking at human rights in this way enables a much more rational discussion about what we want our government to do. Instead of arguing about whether children are somehow innately entitled to education, a moral argument for which there is no logical basis, we discuss whether we want to live in a society of people who had the opportunity to learn how to read and do algebra. The second argument allows a discussion of tradeoffs — yes, not funding public schools is cheaper, but in the long run it’s terrible for the economy and everyone’s quality of life.

I must admit the possibility that this viewpoint is more obvious than I think, but I feel like conversations about politics often hinge on ideas about what people “deserve”, without going into how moral entitlements are defined and conferred.

Immigration is another example. The right-wing “immigrants are stealing our jobs” narrative depends on a feeling of entitlement to jobs (and it’s no accident that workers with the least economically defensible employment make up a large portion of the GOP’s base, especially in the South). The impulse toward self-defense is understandable, but it’s built on an obfuscated attempt at a societal decision. Do we want to decide that everyone deserves a job? Is the government then responsible for providing them? Wouldn’t that take us even farther toward socialism — do we/I/you want that or no?

The left has a similarly ill-founded moral argument regarding immigration, one that I’m guilty of voicing. “Immigrants built this country, so we shouldn’t shut them out now!” The first clause is undoubtedly true, although it glosses over the devastation of indigenous populations and cultures, not to mention slavery, upon which America depended. Rhetoric always summarizes.

Anyway, the part I take issue with is “shouldn’t shut them out” — I agree with that, but I think we must be careful to interrogate the underlying decision. Are we deciding that America must have open borders — that the government is obliged to welcome and support any and all newcomers? If not, what limits do we want to put in place — are felons allowed? Convicted child molesters? Does it depend on the country of origin and the legal standards of the convicting country’s courts?

Personally, I want a government that is obliged to provide healthcare to everyone, housing to anyone who asks for it, education to anyone who wants it, and asylum to anyone who seeks it. (Yes, anyone — I’m not okay with the downsides of the other approach.) I want a government that runs its own prisons entirely with public money, and runs a lot less of them.

But I have no illusions that my ideal country is the natural or morally “right” system — it is a collection of decisions that none of us can make on our own. If we don’t talk about the decision-making process openly, how can we make the wisest choices?


Here’s an example of this worldview in action:

Sign up for my newsletter to stay abreast of my new writing and projects.

I am a member of the Amazon Associates program. If you click on an Amazon link from this site and subsequently buy something, I may receive a small commission (at no cost to you).