Balancing User experience UX (usability) versus security

When designing a security system for a website, one of the consideration is user experience versus security. For instance displaying the following different error messages often leaks information

  • file not found
  • folder not found
  • server error has occurred
  • username not found
  • email address not found

As someone enters different urls then information about your website structure is slowly leaked, for instance controller names, actions etc.

Displaying on screen errors and hints such as “username not found” or “email not found” also constantly leak small amounts of information about a registered users identities. This allows different information to be tested by a hacker until a registered identity is found. Adding a capcha or some other mechanism to slow the process is often a good idea.

That said if someone attempts to logon using a username or password and either are incorrect, displaying a generic error message such as “sorry login failed” -whether the username is recognised or not – is a good security pactice. However it is not informative and can lead to user frustration and confusion.

This is the balance between usability and security. On the one hand you do not want to frustrate your users on the other you do not want to leak information.

If the site is subject to a security check or a penetration test this may flag issues like above. Before starting development it is probably worthwhile discussing this with the penetration tester to agree what is appropriate. Or tell the penetration tester this has been thought about and this is what we are doing. Frustratingly different penetration reports will raise different issues with different levels of severity.

It is not cost effective to develop a website, then have a penetration test\security review that leads to having to rework large sections of the site at the last minute. Or going the other way and over securing the site at the cost of usability to make sure it passes the penetration test. Instead agree up front with whomever is testing the site what is appropriate and then do that.

The balance really depends on how confidential the data stored is versus your user profile. If your users are a small number of business users accessing a highly critical site that controls large amounts of payments you may take a different approach as supporting them is not a major issue. Perhaps as part of the contract you are being paid to perform the support anyway.

Alternatively if your site is aimed at a large number of pensioners, contains low value data and there are no or little ongoing support payments you may take a more informative and helpful approach.

As with all things one sizes rarely fits all, however try to work what you want to, agree it with whomever signs it off and then do the work carefully & correctly once.

Also if you don’t agree up front what is appropriate, you may end up having to change fundamental parts of security system the week before go live to pass a penetration test. In this situation the security solution will be rushed at the last minute which in itself is introducing a risk. Also the final solution may end up being incoherent and not fully thought through.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s