‘Security fatigue’: Computer users tired of too many passwords, warnings

If you’re the type who doesn’t jump up and down at the chance to change your password or install the latest security update whenever you’re prompted to, you’re not alone.

A new study released this week says “security fatigue” is common, and, unfortunately, it’s not safe.

The National Institute of Standards and Technology (NIST) has found that computer users are bombarded with so many security warnings that they tend to ignore them, or make poor decisions that put them at risk of cyber attacks.

“We weren’t even looking for fatigue in our interviews, but we got this overwhelming feeling of weariness throughout all of the data,” said computer scientist Mary Theofanos, one of the study’s authors.

The researchers interviewed U.S. computer users ages 20 to 60 who work in a variety of jobs and live in urban, suburban and rural areas.

Many of them expressed weariness about their computing chores.

“I never remember the PIN numbers, there are too many things for me to remember,” one said. “It is frustrating to have to remember this useless information.”

Others said they were tired of getting locked out of their accounts, or having to deal with extra security measures.

Also, a common thread among the study participants was that they wanted the companies, banks and other entities they deal with to take care of the security. And some of them wondered what individual computer users can do when even the biggest companies fall victim to cyber attacks.

The NIST, whose study was featured in a publication aimed at IT professionals, offered three ways to combat security fatigue: Limit the number of decisions users must make; make it simple to choose the correct security action; and design for consistent decision-making.



Photo illustration by Damian Dovarganes/AP


Tags: , , ,


Share this Post

  • Jim Bray-Old school security

    Belgium is leading the way to solve the problem of having a different password for each website or application. LuxTrust was formed by the banks (25% ownership) and the government (75 ownership) that provides a digital certificate for each citizen so that they have one sign in federated digital identity that here in the U.S. would be rated at NIST Level 4. My employer Tyfone will be providing LuxTrust with a NIST Level 4 security token called SideCard that is in the form of an EMV credit card that also has encrypted Blue Tooth and Near Field communication built in so that when a citizen needs to login to a web site they simply press a button on SideCard. This eliminates static passwords that can be hacked by utilizing tokens and provides the highest level of authentication.

    • Great insight there. There’s hope for millions of users the world over who can hardly recall two passwords.