Security vs Usabiity
Security vs Usability: A Delicate Trade-off
The interplay between security and usability is a central concern in system design, with numerous scholars observing that improvements in one often degrade the other. The core hypothesis under examination is that “the more secure a technology is, the less usable it becomes, and vice versa.” This trade-off is not merely anecdotal but rooted in theoretical and empirical findings in computer science and human-computer interaction.
Security mechanisms, by design, impose constraints to mitigate risk—password complexity requirements, two-factor authentication, encryption protocols, and access controls all function to protect systems but can introduce friction into user workflows. Norman (2002) argued that complex security procedures can hinder task completion and cause users to devise workarounds, which paradoxically reduces overall security. For instance, when password policies become too stringent, users may reuse passwords or write them down, thereby undermining their effectiveness (Florêncio & Herley, 2010).
This dilemma is exacerbated in environments requiring rapid access or intuitive interfaces, such as healthcare or emergency response systems, where time is critical and complex security controls may cause delay or error (Koppel et al., 2005). Conversely, systems prioritised for usability, such as consumer apps, often sacrifice security defaults—such as allowing weak passwords or auto-login features—for the sake of convenience, exposing users to greater risk.
The trade-off is also reflected in psychological and behavioural models of user interaction. West (2008) noted that security behaviours are driven more by perceived effort than by actual threat level, suggesting that when security measures are too intrusive, they are likely to be bypassed or ignored altogether. As a result, usable security has emerged as a field aiming to find the balance—designing systems where security is embedded without overwhelming the user (Cranor & Garfinkel, 2005).
Nonetheless, while the tension is persistent, it is not unresolvable. The principle of “security by design” encourages integrating safeguards that are context-sensitive and adaptive. Multi-factor authentication via biometrics, for example, attempts to provide robust security while reducing cognitive load on users. Yet even these solutions may suffer from accessibility limitations or introduce new risks, such as biometric spoofing.
Two-factor authentication (2FA) offers increased security by requiring both a password and a secondary device—typically a mobile phone—for access. However, if a user loses access to their 2FA device, such as their primary phone number, they may be entirely locked out of their own account. This scenario can also pose a security risk: if an attacker gains control of the 2FA device, they may bypass protections and gain unauthorised access. This highlights a critical usability issue in 2FA systems. The author contends that the most reliable form of security remains the use of long, complex passwords—ideally exceeding current brute-force computational limits (Bonneau et al., 2012).
Based on recent cybersecurity research, here are the estimated times to brute-force crack passwords composed only of uppercase and lowercase letters and digits (alphanumeric only), using current consumer-grade hardware such as high-end GPUs:
| Password Length | Estimated Time to Crack |
|---|---|
| 8 characters | 1 hour |
| 10 characters | 3 weeks |
| 12 characters | 300 years |
| 14 characters | 16,000 years |
| 18 characters | 26 million years |
| 20 characters | 26 billion years |
These figures reflect estimates as of 2024, assuming attackers are using powerful graphics cards like the NVIDIA RTX 4090, which can perform approximately 200 billion guesses per second depending on the hash type used. The estimates do not account for special characters, which would further increase complexity and time to crack.
In sum, the hypothesis that security and usability are inversely related is broadly supported by research. Designing systems that are both secure and user-friendly remains an ongoing challenge requiring interdisciplinary collaboration between security engineers, usability experts, and end-users.
References
- Bonneau, J., Herley, C., van Oorschot, P. C., & Stajano, F. (2012). The quest to replace passwords: A framework for comparative evaluation of web authentication schemes. IEEE Symposium on Security and Privacy, 553–567. https://doi.org/10.1109/SP.2012.44
- Cranor, L. F., & Garfinkel, S. (Eds.). (2005). Security and usability: Designing secure systems that people can use. O'Reilly Media.
- Florêncio, D., & Herley, C. (2010). Where do security policies come from? In Proceedings of the Sixth Symposium on Usable Privacy and Security (pp. 1–14). ACM. https://doi.org/10.1145/1837110.1837124
- Hive Systems. (2024). Password table: How long it would take a hacker to brute-force your password. Hive Systems Cybersecurity Report.
- Koppel, R., Wetterneck, T., Telles, J. L., & Karsh, B.-T. (2008). Workarounds to barcode medication administration systems: Their occurrences, causes, and threats to patient safety. Journal of the American Medical Informatics Association, 15(4), 408–423. https://doi.org/10.1197/jamia.M2616
- Norman, D. A. (2002). The design of everyday things. Basic Books.
- West, R. (2008). The psychology of security. Communications of the ACM, 51(4), 34–40. https://doi.org/10.1145/1330311.1330320