A good friend introduced me to the term ‘security theatre’ a few years ago and I’ve used it extensively ever since. Originally coined by Bruce Schneier1, it’s a wonderfully elegant term that describes measures that, by design or accident, give the impression of improving security without actually improving security very much at all.

I was reminded of it today when I received a password from HMRC in the post. I had applied to use an online service and this was the activation code. It was 12 digits longthat’s enough for 4.74 quintillion permutations! That’s 47 trillion times more secure than the PINs on my bankcards. Would a six-digit password actually have been much less secure? Without my equally cumbersome ‘unique tax code’ it’s utterly useless, so why is it so long? Security theatre.

Too much security is a bad thing

It’s not always so trivial, and sometimes it’s easy to understand why organisations produce security theatre. The increased checks at airports in the aftermath of 9/11 were annoying and of questionable security value, but they did help rebuild confidence in air travel. Much as people moaned about them at the time, they would probably have been less likely to fly if the measures hadn’t been in place.

But security theatre is creeping into more and more facets of daily life. Only the other day I was registering for an online newsletter and was forced to create an eight-character password containing at least one number and one punctuation character; and then asked for my mother’s maiden name. That’s about the same level of security that my online banking service requires.

Too much security is a bad thing for three reasons:

  • It’s counter-productive: Obviously increasing the barriers to people doing their jobs will impact on productivity. It also increases the incentive for them to find ways around the rulessharing passwords2, leaving systems logged in, writing long passwords down, saving data locally,…
  • It puts customers off: Research shows that the more fields that you put on a registration form, the less people complete. Did we need research to prove that? Even with auto-complete, onerous login requirements are going to put off potential customers.
  • It reduces security: I didn’t use my mother’s real maiden name, but I bet plenty of people did. The more places that details like this are held, the more it dilutes their usefulness. If every newsletter starts demanding the name of my first school, then my bank is going to have to ask for more personal information and so an ‘arms race’ is likely to develop.

Get it right

When you are defining the security requirements for your site or online tool don’t implement military-grade security on user accounts just because you canit’s not big and it’s not clever. Focus your efforts where they will really make a difference.

For example, hacking into my newsletter account wouldn’t be worth the effort required, but getting into the server and hence thousands of accounts could be lucrative. So you should be asking questions like: How many people have access to the server? Is the data encrypted? Is the password changed when staff leave? If you are serious about protecting users’ privacy it’s the answers to questions like these that really matter.

1. Schneier, Bruce (2003) Beyond Fear: Thinking Sensibly about Security in an Uncertain World Copernicus Books, p38.

2. Have you tried bugmenot.com? It’s a great place to share dummy accounts to commonly used sites.

Posted by John on 6 September 2010