usability – WindowsTechs.com

Is Security Human Factors Research Skewed Towards Western Ideas and Habits?

Posted on March 18, 2025 by Bruce Schneier

Really interesting research: “How WEIRD is Usable Privacy and Security Research?” by Ayako A. Hasegawa Daisuke Inoue, and Mitsuaki Akiyama:

Abstract: In human factor fields such as human-computer interaction (HCI) and psychology, researchers have been concerned that participants mostly come from WEIRD (Western, Educated, Industrialized, Rich, and Democratic) countries. This WEIRD skew may hinder understanding of diverse populations and their cultural differences. The usable privacy and security (UPS) field has inherited many research methodologies from research on human factor fields. We conducted a literature review to understand the extent to which participant samples in UPS papers were from WEIRD countries and the characteristics of the methodologies and research topics in each user study recruiting Western or non-Western participants. We found that the skew toward WEIRD countries in UPS is greater than that in HCI. Geographic and linguistic barriers in the study methods and recruitment methods may cause researchers to conduct user studies locally. In addition, many papers did not report participant demographics, which could hinder the replication of the reported studies, leading to low reproducibility. To improve geographic diversity, we provide the suggestions including facilitate replication studies, address geographic and linguistic issues of study/recruitment methods, and facilitate research on the topics for non-WEIRD populations…

Continue reading Is Security Human Factors Research Skewed Towards Western Ideas and Habits?→

Balancing security with usability when using nonce for CSRF protection

Posted on September 10, 2024 by Gili

How does one balance security and usability when using nonces on a website?
Imagine a website where the same nonce is embedded in the page, and stored in the browser session.
If I were to replace the nonce on every page load then:

The use… Continue reading Balancing security with usability when using nonce for CSRF protection→

On Passkey Usability

Posted on February 12, 2024 by Bruce Schneier

Matt Burgess tries to only use passkeys. The results are mixed.
Continue reading On Passkey Usability→

Why doesn’t file/folder encryption work the way I imagine it should? Can I have the UX I want? Tell me what’s wrong with this idea

Posted on December 28, 2023 by Stonecraft

I have been looking around at various encryption schemes, and I haven’t found anything exactly like what I want in terms of user experience.
If what I want isn’t a thing, I assume it’s been thought of, but other approaches won out. So can … Continue reading Why doesn’t file/folder encryption work the way I imagine it should? Can I have the UX I want? Tell me what’s wrong with this idea→

Why don’t applications suggest passwords themselves?

Posted on September 9, 2022 by prmph

Imagine a web app that, on the login page, has a password field which does not allow user input, but just displays a client-only generated password that is reasonably strong, with a button to re-generate the password.
In this approach, ins… Continue reading Why don’t applications suggest passwords themselves?→

Apple’s Lockdown Mode

Posted on July 26, 2022 by Bruce Schneier

I haven’t written about Apple’s Lockdown Mode yet, mostly because I haven’t delved into the details. This is how Apple describes it:

Lockdown Mode offers an extreme, optional level of security for the very few users who, because of who they are or what they do, may be personally targeted by some of the most sophisticated digital threats, such as those from NSO Group and other private companies developing state-sponsored mercenary spyware. Turning on Lockdown Mode in iOS 16, iPadOS 16, and macOS Ventura further hardens device defenses and strictly limits certain functionalities, sharply reducing the attack surface that potentially could be exploited by highly targeted mercenary spyware…

Continue reading Apple’s Lockdown Mode→

Hiding Vulnerabilities in Source Code

Posted on November 1, 2021 by Bruce Schneier

Really interesting research demonstrating how to hide vulnerabilities in source code by manipulating how Unicode text is displayed. It’s really clever, and not the sort of attack one would normally think about.

From Ross Anderson’s blog:

We have discovered ways of manipulating the encoding of source code files so that human viewers and compilers see different logic. One particularly pernicious method uses Unicode directionality override characters to display code as an anagram of its true logic. We’ve verified that this attack works against C, C++, C#, JavaScript, Java, Rust, Go, and Python, and suspect that it will work against most other modern languages…

Continue reading Hiding Vulnerabilities in Source Code→

Industrial Design Hack Chat

Posted on September 7, 2021 by Dan Maloney

Join us on Wednesday, September 8 at noon Pacific for the Industrial Design Hack Chat with Eric Strebel! At Hackaday, we celebrate all kinds of hardware hacks, and we try …read more Continue reading Industrial Design Hack Chat→

On Risk-Based Authentication

Posted on October 5, 2020 by Bruce Schneier

Interesting usability study: “More Than Just Good Passwords? A Study on Usability and Security Perceptions of Risk-based Authentication“:

Abstract: Risk-based Authentication (RBA) is an adaptive security measure to strengthen password-based authentication. RBA monitors additional features during login, and when observed feature values differ significantly from previously seen ones, users have to provide additional authentication factors such as a verification code. RBA has the potential to offer more usable authentication, but the usability and the security perceptions of RBA are not studied well…

Continue reading On Risk-Based Authentication→

Let user send an email to register to prevent outgoing mail abuse

Posted on September 18, 2020 by franklyn

Problem
Consider a standard sign-up form (user enters an email address, we send a confirmation link).
Even limiting that form per IP (or even globally per hour), I’m concerned about abuse:
Our real-world reputation would be harmed if someo… Continue reading Let user send an email to register to prevent outgoing mail abuse→