If it’s not usable it’s not secure

What happens when you make an application so secure, it becomes unusable? Then ironically, your security measures have made your application less secure. If you make the lock on the front door almost impossible to open for the people living there, they might simply leave the window open to get in the house next time.

It’s the same with digital locks on digital “front doors”. If your password rules are so strict, you make it impossible to remember passwords, people will find another way of achieving their goal, that doesn’t require entering the password. Like not using your “secure” application at all, but switch to a less secure alternative, effectively rendering your security useless.

This is what happened today when Dutch minister Hugo de Jonge admitted he used his private email account for work-related messages. Something that a minister obviously shouldn’t be doing. Yet he had been using his iCloud email account because he didn’t always know the password to his official secure government email application, because it expired all the time. Oh, and his private email app was easier to use on his iPad.

Even ministers responsible for protecting state secrets act just like normal people: they hate remembering passwords and love ease of use. I would like to thank Hugo de Jonge for giving us this excellent example of how security and usability are not opposites, but should go together. As Jared Spool always says: if it’s not usable, it’s not secure.