TheUKDave

Recently I got a call from my bank about a failed online transaction using my card. It failed because I decided not to fill in the 'Verified by Visa' form that came up at the end of my purchase.

So why did I not fill it in? In short, because I wasn't immediately convinced it was legitimate, and I was in too much of a rush to assure myself that it was, especially when compared to the importance of the purchase. i.e. I didn't care enough about the thing I was trying to buy, to take the time to make sure I wasn't being phished.

And there's the rub, no security is ever totally secure, and any security strategy should be as much about ensuring your users are adhering to good security practices, as it is about implementing strict security processes. So when you 'train' users not to treat scrutinise security devices, you open your users to security attacks.

Users should (obviously) not be limited in the length of their passwords, or (in my opinion) even forced to use certain characters within it. Instead they should be encouraged to use longer passwords, and to use whatever variety (or lack thereof) that they should choose. Life should be made as easy as possible for the user, to avoid them