Security vs. usability

January 21st, 2004 § 2 comments

One of the systems I use regularly has a simple mechanism to prevent brute force attacks against the authentication interface. The system allows three attempts at authentication and, in case they fail, blocks the specific login used from trying to authenticate again for some reasonable length of time after the third attempt. Once that blocking period has expired, the user can try again. A new failure will result in another blocking period, which grows with each further attempt. At some point, when the number of failures reaches a certain threshold, the login is completely barred from accessing the system until an administrator clears him or her. That’s a simple and effective way to block some kind of attacks, although somebody determined enough might be able circumvent it somehow.

A few days ago, while trying to access the system, I reached the first three attempts limit. After waiting for some minutes, I tried again and was blocked once more. I was surprised because I was sure I was providing the correct password. It was then that I realized that I was giving the incorrect username: it was missing one of its characters.

The point here, which I’m certain you can see, is that I was blocking another user from accessing the system because of my mistake. As this system has a large number of users, the probability of similar usernames occurring is very high, especially because the username is limited to a just few characters. Luckily, the users of this specific system are not likely to access it more than a few times each week and my mistake almost certainly didn’t cause any problem to the other user. However, imagine a system where users are constantly logging in and out. In such a system, such mistakes could lead to large amounts of users being inconvenienced. And in systems where such access is crucial to business, things like that could become a serious problem.

Moral of the story: a system must implement all possible security measures that can be implemented on it, but those security measures must also be balanced with regards to their usability or users will suffer as a result.

§ 2 Responses to Security vs. usability"

  • I actually see this feature as a security problem rather than a usability problem, as it introduces the ability for malicious parties to “deny service” to other users provided they know their user name. Enter the username and an incorrect password a few dozen times and you’ve locked your victim out of the system.

  • Ronaldo says:

    You’re quite right. I hadn’t thought about it from this point of view. I guess that goes to prove that security is even harder to do right than it appears. Preventing the attack while still allowing valid users access to the system seems a tough problem.

What's this?

You are currently reading Security vs. usability at Reflective Surface.