That makes convincing the user that keeping a password secret is a good idea problematic. Users forget their passwords, and they want them to be handy when they do.
They want easy-to-remember passwords rather than ones that can be secured from brute-force attacks. So security policy -- which demands the user create a password with 15 characters, two letters, and one period -- may not go over well. One urban legend is that when users were required to change their passwords without using their previous 30 passwords, after 30 times they would just use their old password again.
Functionality trumps security, as it should, in most cases. Building security to accommodate functionality rather than being an inhibitor -- the enemy -- is the way to go.
Information security professionals are technical, but it is ever more obvious that the psychological element of security is just as important when trying to secure any environment involving people. Putting "people handling" into the security planning and design phases solves many future risks, but this is not yet common practice.
So what do you think? Should people be our top concern? How do we go about educating users on the risks they are taking, or try to limit the risks despite users' lack of "common sense" in this arena? Do you have examples in your organization where this either worked or failed? Send me a comment.
Follow Gadi Evron on Twitter: http://twitter.com/gadievron
Gadi Evron is an independent security strategist based in Israel. Special to Dark Reading.