Talking Usability: Don’t Trade Security for Usability on Your Smartphone

By David Dick | STC Fellow

The convenience of mobility and an infinite number of mobile applications has changed the way we use a smartphone. Consequently, we store a lot of personal information on a smartphone such as email addresses, passwords, travel information, driver’s licenses, personal identification numbers, boarding passes, credit card numbers, bank account numbers, telephone numbers, and photographs. Would you want someone to break into your smartphone and retrieve the data for nefarious use? Obviously not, but nevertheless, few of us take the same precautions to protect our smartphone that we do for our laptop or desktop because we do not want to complicate its use.

You probably have a password set on your laptop and run virus protection software. You might protect documents with a password, which isn’t foolish or impractical given how easy it is to break into a computer.  Unfortunately, many of us do not want to enter a password every time we use our smartphone because it’s an inconvenience. Likewise, we do not want to re-enter a user ID and password every time we access a mobile application, so we allow applications to remember our user ID and password. In so doing, we trade security for usability by making it easier for someone to access our data if we lose our smartphone.

Smartphones are easily stolen. You could be waiting for a bus or taxi while reading email, or walking with your smartphone in your hand (which everyone does) and a thief grabs it and runs. Smartphones have a feature that causes them to turn off after several minutes of inactivity, thereby requiring a password to re-open it. Unfortunately, most people turn off the feature because it makes the smartphone inconvenient to use.

We trade security for usability when we use public WiFi networks. Most WiFi networks cost nothing, such as those available at hotels, libraries, restaurants, and coffee shops. Other WiFi networks require a small fee to connect. A WiFi network offers the advantage of reducing the use of our smartphone’s data plan. But did you know that it’s possible for someone to run a network detection application from a smartphone and scan the users logged into the WiFi to view their activity? The solution is simple: use your data plan instead of a public WiFi network.

It’s easy to forget our smartphone on a bus, at a restaurant, bar, office, or coffee shop—it happens all the time. All smartphones have a feature that locks the device after three unsuccessful attempts to enter a password. However, if you do not require a password to access the smartphone, the feature won’t work.

The smartphone’s operating system and web applications receive periodic updates that fix bugs and security vulnerabilities. Many users ignore installing the updates because they don’t know that by not updating, they’re leaving the smartphone open to viruses, malware, and hacking. However, installing the fixes and security patches is as simple as tapping the “update” button.

We err in judgement when we trade security for usability, which I refer to as ‘convenience of use.’ When it comes to protecting mobile devices and the data they contain, there’s no compromise for security.

Talking Usability: There’s No Such Thing as a User-Friendly Password

By David Dick, Fellow

Passwords are required for all types of online activity to authenticate the user.  One thing is certain: until technology provides a better solution to passwords, we must learn to create strong passwords and remember them in order to safeguard our personal data from hackers.

There are ways to circumvent the effort to remember passwords by checking the box labeled “Remember Me.”  “Remember Me” works well for mobile devices because the keys on the keyboard are often too small to enter a complex password.  Just remember to create a security code in case the mobile phone is stolen to prevent thieves from accessing the data. Come to think of it—many people do not use security codes for their mobile devices because it’s another number to remember.

Although there is an international standard for the definition of product usability (ISO 9241) there is no corresponding standard definition for password usability. In “Users are not the enemy,” Adams and Sasse identify three usability characteristics that users desire of passwords: easy to remember, able to be used across multiple systems, and rarely change.  You will learn why these desired characteristics do not contribute to creating and managing strong passwords.

If you have ever forgotten a password and created a new one, you have seen these four guidelines:

  1. Use at least eight characters; a combination of numbers and letters is best.
  2. Do not use the same password you have used with us previously.
  3. Do not use dictionary words, your name, e-mail address, mobile phone number or other personal information that can be easily obtained.
  4. Do not use the same password for multiple online accounts.

If you are like me—you ignored the guidelines and created an easy to remember password. But do you know why these guidelines are important and why you need to adhere to them?

Use at least eight characters; a combination of numbers and letters is best. Most fields for passwords are not a fixed eight-character length. Nevertheless, we create eight character passwords because they are easier to remember. Unfortunately, the eight-character password is less secure than a password containing 16 or 24 alpha numeric characters with dashes and special characters.  The password “love1234” is less strong, but easy to remember.  A password that uses letters from a phrase such as “I’ll see you at the STC Summit, May 2017” written as “ilL-cu-@-stc-SumiT-05/2017” is not only easy to remember but also a strong password.

Do not use the same password you have used with us previously. If the website was successfully hacked before, there is a strong probability that the hackers will use the same passwords to hack the website again. Thankfully, most websites prevent users from reusing a password when requesting a new password. If you successfully circumvented the validation of the password by adding a number at the end of the password, the next guideline becomes important.

Do not use dictionary words, your name, e-mail address, mobile phone number or other personal information can be easily obtained. One of the methods hackers use to gain access to users’ data is to use a “Dictionary Attack”, which is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by trying hundreds or sometimes millions of likely possibilities, such as words in a dictionary.  Ironically, many websites allow users to use names, e-mail address, mobile phone numbers, and other personal information for User Names.  If developers implement a method to measure the strength of a password, allow users to select a system-generated password, and define rules to check for dictionary words, e-mail addresses, or phone numbers, then the password is one step closer to being “hacker proof”.

Do not use the same password for multiple online accounts. We are likely to use the same password because we don’t want to burden ourselves with remembering too many passwords.  Hackers attack multiple online accounts reusing user credentials (user name and password) in hopes of getting a match.  If we use the same password for multiple online accounts we help the hackers and put ourselves at risk of having our data stolen.  Even worse, our account could be held for ransom until we pay a fee to release it.

Online retailers make the registration process simple by allowing easy-to-remember passwords and security questions so as not to frustrate users; however, ease of recall comes at a risk.  Strong passwords can slow or often defeat the various attack methods of compromising a computer’s security. Until technology provides a better substitute for passwords, the need for strong passwords is not going away and neither is the pursuit for user-friendly passwords. Maybe an amendment to ISO 9241 is necessary to create a standard definition for password usability.


Griffith, Eric. Password Protection: How to Create Strong Passwords, PC Magazine, November 29, 2011

Adams, and M. A. Sasse, “Users are not the enemy,” Communications of the ACM, vol. 42, no. 12 (December 1999), pp 40-46.

Talking Usability: Lessons Learned About PDF Accessibility

By David Dick | STC Fellow


Many of us hold this assumption to be true—we can convert text documents into Accessibility-compliant Portable Document Format (PDF) documents by saving them as PDF. Any desktop publishing tool can create PDF files using “Save as Adobe PDF”; however, the PDF files it creates are not always Accessibility-compliant for screen readers.

One of the tasks of my current job is to convert documents into Accessibility-compliant PDFs. A document is considered accessible if it can be read by people with disabilities. This includes access by people who are mobility impaired, blind, low vision, deaf, hard of hearing, or who have cognitive impairments. These users rely on screen readers to dictate the contents of the document to them, including images, tables, and graphics. The reason to convert a source file to a PDF is because PDF is universally compatible with screen readers, whereas a source file saved in its native format might not be.

The instructor teaching me how to create Accessibility-compliant PDFs said that he spends many hours correcting accessibility errors in PDF documents. Unfortunately, he had to correct the accessibility errors again whenever the source document changed. It was apparent to me that the seamless conversion of a source document to an Accessibility-compliant PDF document begins with an Accessibility-compliant source document.

The following are a few tips I learned to build accessibility into source documents.

  • Document Title. To a search engine, a PDF document is just another web page. Search engines read the “Title” document information field. If it finds nothing, the search engine’s indexer tries to guess the document’s title by scanning the text on the first few pages. This usually doesn’t work, and produces incorrect and improperly formatted results. If the indexer finds text in the Title field, it will use it, regardless of whether that text is meaningless or not.
  • Headings. Never create headings by applying a bold font to titles and increasing the font size to a title. Best practice is to directly modify titles using Heading styles. When converting the source document to PDF, Heading 1, 2, 3, etc., convert to heading tags, which create structure for screen readers.
  • Alternative text. Alternative text (Alt text) allows the content and function to be understood by screen readers, which is why Alt text is required for all images, graphs, diagrams, and tables.
  • Tables.  For tabular data, use the correct table mark-up. Avoid using spaces, tabs and line breaks to emulate the table layout. Tables require headings, which are added by modifying the Table Properties. To a screen reader, a table without a table header is only an object with columns. For Word documents, select the Table Properties, select the Row tab, and check “Repeat as header at the top of each page.”
  • Hyperlink Text.  Hyperlink text requires a description of the link destination instead of providing only the URL. Mask the URL with an appropriate alternate text so that screen reader users can easily determine its purpose. For example, the statement, “The STC Home Page provides links to member information” which is more descriptive and informative than “click here”, “read more”, “for more information see…”  Use the Screen Tip option to insert a description about the link.
  • Use of Paragraphs (¶) to create white space. Screen readers read paragraphs (¶) as empty space. To create white space between titles, bullets, and headings, modify the style’s paragraph spacing.

Use a professional PDF editing tool such as Adobe Acrobat Pro to test the document for accessibility and correct errors. I encourage you to test the PDF document with a screen reader to validate the information follows properly. Tags define the reading order and identify headings, paragraphs, sections, tables and other page elements. You might have to make minor manual corrections to the tags so that the information flows in the correct order.

When accessibility is incorporated into the source file, the PDF requires fewer corrections. If changes are only made in the PDF document and not to the source file, accessibility work will need to be done each time the source file is updated. When you create accessible documents for people with vision deficiencies, you make information usable for all.

Good resources to learn about PDF accessibility:

UC Berkeley Event, May 2008, PDF Accessibility and Usability Issues. In this presentation, Sean Keegan, a premier expert on document and Web accessibility, addresses usability and accessibility issues of PDFs, strategies for the creation of accessible electronic documents, and the appropriate use of software applications to ensure accessibility of Web documents.

European Blind Union. Making Information for All provides guidance on how to make electronic documents accessible for assistive technology.

Adobe Acrobat DC Repair describes the process for making PDF documents accessible.


Talking Usability: Technology is Changing, But Not At the Workplace

By David Dick, Fellow

We, as savvy consumers, must have the latest technology. We buy the newest smartphone because it has something that our current smartphone doesn’t have. We download the latest Web applications because we believe they will empower us. Our Internet connection is as fast as the provider can deliver because we have no patience to wait for anything. Most importantly, we make the time to learn because we want to become savvy users. Our workplace; however, is another story.

At the workplace, the PC that is more than five years old might be obsolete and slow, but it gets the job done so there’s no justification to replace it. The software that generates reports involves many manual tasks that are automated by a newer version of the software, but there’s no budget to purchase it. The corporate intranet is slow because servers cannot cope with the growing number of users, but there’s no budget to upgrade it. There is no time to learn how to use existing office tools smartly because there is too much work to do.

The cost of introducing new technologies to the workplace is not cheap because you are not buying something for one person to use—you are buying something for hundreds or thousands of people to use. For example, upgrading from Microsoft Office 2010 or 2013 to Office 2016 or Office 365 requires licenses for all users. Additionally, the upgrade might require upgrading PCs to a compatible version of Windows, which will require upgrading other office applications so that they are compatible with the newer version of Windows. Often, new office applications function faster and are less prone to system crashes when running on a new PC.  Finally, the upgrade will likely necessitate training users on the new features and functions. You can easily see the impact that the introduction of one new technology has on the organization and all users.

Attending the annual STC Summit is a wonderful opportunity to speak with vendors about their newest tools and technologies for the workplace. It’s easy to become excited to learn how these tools and technologies will improve the user experience. Unfortunately, not everyone works for a company whose technology is always improving. So for those of you who are not working at tomorrow’s workplace today, make good use of what you have and provide the best user experience you can.

Talking Usability: My Father’s Typewriter

My father typed all his correspondence on a manual (non-electric) typewriter. The ink on the typewriter ribbon was so worn out that the text on the paper was barely legible. Office supply stores stopped selling manual typewriter ribbon because electric typewriters were replacing manual typewriters. My father refused to buy an electric typewriter because he was satisfied with his manual.

When the company my father was working for replaced its typewriters with personal computers (PC), my father was concerned about what would happen if the computers broke down. “Nonsense,” his manager said. “Computers don’t break down.” Of course, those computers did break down and management didn’t have a backup plan on how to continue working.

You and I know that PCs can break down because the circuitry on the motherboard stops working. Sometimes it’s cheaper to buy a new PC than replace the motherboard. That’s why most PCs have a lifespan of three to five years—when the warranty expires, so does the PC. Nevertheless, many companies are reluctant to replace PCs on a regular basis because they are costly investment. Then again, so is sitting idle while the technicians at IT support try to determine what’s wrong with our PCs. If IT support has a replacement PC, then we are back to work the same day. If not, we wait patiently for management to approve the purchase of a new PC.

The lesson I learned about my father’s typewriter is that if we are to be dependent on technology for our livelihood, then we must keep pace with innovation. That means if we connect PCs to networks, then we must upgrade those networks before they reach capacity. If we rely on software applications to run our business, then we must ensure that we are running the latest software updates and security patches.  As the saying goes, “Failure is not an option.”

One day, I found my father’s typewriter in a closet. The ribbon was well worn, but still capable of creating a letter. His typewriter reminded me of a time when a manual typewriter was modern technology.