Skip to main content

Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security


The security research community has recently recognised that user behaviour plays a part in many security failures, and it has become common to refer to users as the ‘weakest link in the security chain’. We argue that simply blaming users will not lead to more effective security systems. Security designers must identify the causes of undesirable user behaviour, and address these to design effective security systems. We present examples of how undesirable user behaviour with passwords can be caused by failure to recognise the characteristics of human memory, unattainable or conflicting task demands, and lack of support, training and motivation. We conclude that existing human/computer interaction knowledge and techniques can be used to prevent or address these problems, and outline a vision of a holistic design approach for usable and effective security.

This is a preview of subscription content, access via your institution.


  1. Schneier B: ‘Secrets and Lies’, John Wiley and Sons (2000).

  2. Poulsen K: ‘Mitnick to lawmakers: People, phones and weakest links’, (March 2000)-

  3. Reason J: ‘Human Error’, Cambridge University Press, Cambridge, UK (1990).

    Google Scholar 

  4. Adams A and Sasse M A: ‘Users are not the enemy’, Communications of the ACM, 42, No 12 (December 1999).

  5. Brostoff S and Sasse M A: ‘Are Passfaces more usable than passwords? A field trial investigation’, in McDonald S et al (Eds): ‘People and Computers XIV-Usability or Else’, Proceedings of HCI, Sunderland, UK, pp 405–424, Springer (September 2000).

  6. Rejman-Greene M: ‘Biometrics-real identities for a virtual world’, BT Technol J, 19, No 3, pp 115–121 (July 2001).

    Google Scholar 

  7. FIPS: ‘Password Usage’, Federal Information Processing Standards Publication (May 1985).

  8. Adams A, Sasse M A and Lunt P: ‘Making passwords secure and usable’, in Thimbleby H et al (Eds): ‘People and Computers XII’, Proceedings of HCI'97, Bristol, Springer (August 1997).

    Google Scholar 

  9. Nielsen J: ‘Security and Human Factors’, Alertbox (November 2000)-

  10. Haskett J A: ‘Pass-algorithms: a user validation scheme based on knowledge of secret algorithms’, Communications of the ACM, 27, No 8, pp 777–781 (1984).

    Google Scholar 

  11. Zviran M and Haga W J: ‘A comparison of password techniques for multilevel authentication mechanisms’, The Computer Journal, 36, No 3, pp 227–237 (1993).

    Google Scholar 

  12. Zviran M and Haga W J: ‘Cognitive passwords: the key to easy access control’, Computers and Security, 9, No 8, pp 723–736 (1990).

    Google Scholar 

  13. Ellison C, Hall C, Milbert R and Schneier B: ‘Protecting secret keys with personal entropy’,- pdf

  14. Spector Y and Ginzberg J: ‘Pass sentence-a new approach to computer code’, Computers and Security, 13, No 2, pp 145–160 (1994).

    Google Scholar 

  15. Passlogix® Inc- &loc=who

  16. Dhamija R, Perrig A and Deja V: ‘A User Study-Using Images for Authentication’, Proceedings of the 9th USENIX Security Symposium, Denver, Colorado (2000).

  17. PassfacesTM-

  18. Valentine T: ‘An evaluation of the PassfaceTM personal authentication system’, (Technical Report) Goldmsiths College, University of London (1998).

  19. Valentine T: ‘Memory for PassfacesTM after a long delay’, (Technical Report) Goldsmiths College, University of London (1999).

  20. Whitten A and Tygar J D: ‘Why Johnny can't encrypt: A usability evaluation of PGP 5.0’, Proceedings of the 8th USENIX security composium, Washington (August 1999).

  21. Beyer H and Holtzblatt K: ‘Contextual design’, Morgan Kauffmann (1997).

  22. Rogers R W: ‘A protection motivation theory of fear appeals and 22 change’, The Journal of Psychology, 91, pp 93–114 (1975).

    Google Scholar 

  23. Brostoff S and Sasse MA: ‘Safe and sound: a safety-critical design approach to security’, to be presented at the 10th ACM/SIGSAC New Security Paradigms Workshop, Cloudcroft, New Mexico (September 2001) (in press).

  24. Weirich D and Sasse M A: ‘Pretty good persuasion: a first step towards effective password security for the real world’, to be presented at the 10th ACM/SIGSAC New Security Paradigms Workshop, Cloudcroft, New Mexico (September 2001) (in press).

Download references


About this article

Cite this article

Sasse, M.A., Brostoff, S. & Weirich, D. Transforming the ‘Weakest Link’ — a Human/Computer Interaction Approach to Usable and Effective Security. BT Technology Journal 19, 122–131 (2001).

Download citation

  • Issue Date:

  • DOI:


  • Information System
  • Communication Network
  • User Interface
  • Research Community
  • Design Approach