Keys and padlocks appear in red in this wax cloth print, against a gold background.
Keys and padlocks appear in red in this wax cloth print, against a gold background.

Make Your Passwords Stronger

I originally wrote this security advice piece for Tactical Tech’s Data Detox Kit; it’s adapted here with permission and thanks.

Do you find yourself reusing the same password for all or most of your online accounts? Because strong passwords can be so hard to memorize, you may tend to reuse the same one over and over. Or you might use simple passwords, which are weak.

And that’s how accounts get hacked. It’s not by code, or specialized hacking skills. Just easy-to-guess passwords.

When a so-called “hacker” tries to get into accounts, all they have to do is have a computer…

Black, red, and white ankara wax cloth print shows a lock and a key in ornate frames.
Black, red, and white ankara wax cloth print shows a lock and a key in ornate frames.

I originally wrote this security advice piece for Tactical Tech’s Data Detox Kit; it’s adapted here with permission and thanks.

Although it may seem like taking care of your digital life is something that only happens online — in your email, the cloud, or a cell phone tower someplace — protecting the devices you hold in your hands is just as important. What could someone learn about you if they had access to your phone or computer? What could they do with your files, contacts list, social media profile, or financial account? …

In 2016, I wrapped up a study of people’s conceptions of how email works, with the assistance of Renee Hobbs, Arne Renkema-Padmos, and Blue Ridge Labs. While I have previously spoken informally about the findings of this study, due to editorial logistics and time constraints I was unable to release this technical report until now.

The full report is now available here. A forthcoming summary will be published soon on the website of Simply Secure, which funded this research.

This article was originally published on the ThoughtWorks Insights blog.

When I talk to people about how to protect themselves against security problems, often the first feeling they express is guilt or shame. That’s what I heard from my friend Lindsay the other day when I exclaimed to my old high-school crew about Meltdown and Spectre.

Lindsay is a trained opera singer, a mom, and the wife of a pastor — about as refreshingly far as you can get from the daily grind of the tech industry. She thanked me for letting her know about the urgency of patching. “I’ve…

The release of the OWASP Top Ten digital security threats gives us a moment to consider: What can designers and other UX folks do to support security?

This article was originally published on

Human error is one of the toughest things to guard against when planning digital security. It’s the single biggest attack surface in digital systems. And yet, security and user-experience (UX) design are generally not considered in tandem — in fact, security and usability are sometimes seen as enemies. That needs to change.

The emergence of cross-functional development teams, in particular, demands security and UX should sit together. Neither design nor security should be add-ons or afterthoughts to the development process.

The release of the 2017 Open Web Application Security Project (OWASP) Top 10

How do we know where FancyBear came from? (this logo, at least, “was derived from, a website created by “Fancy Bears’ hack team””, per Wikipedia. Used here for purposes of illustration.)

On the human-factors side of the infosec community, we are at the mercy of those more technical than we are. Those of us who are better at writing grants, improving interfaces, or training journalists and activists must work hard to understand the complicated technical strengths and weaknesses of the tools we fund, recommend, and make easier to use. We have to trust security analysts to explain how attacks work, and where they are coming from.

From the beginning of my time in this field, this has troubled me. What if members of the tiny, elite group of technologists we trust…

Robert Stribley’s interface mockup for GridSync.

Activity: “Lean”-style workshop to develop a more usable new interface for an open-source distributed file-sharing system.
Refine background materials thoroughly for short events. Talk about conflicting assumptions to make progress.

Working with open-source secure tools developers, I have had few opportunities to bring design and user needs to early stages of development. Many tools are already well-established. GridSync, a GUI for the Tahoe-LAFS file sharing system, presented a rare chance to bring user needs to the development process at an early stage.

With GridSync, I was eager to try out the collaborative design methods used in lean development. Collaborative…

Originally published on the OpenITP Secure User Practices blog, on November 3, 2014

The gathering and use of data on software users is currently a hotly contested public issue. Companies like Facebook and OkCupid have attracted a great deal of public criticism for not only gathering and selling users’ information, but also using it to manipulate users’ moods. Credit card companies and major retailers have not proved immune to massive attacks on users’ financial and personal data.

Free software to protect security, privacy, and anonymity has to a great extent been developed in response to concerns like these. Developers of…

Pixelated’s logo.

Activity: Usability testing on an encrypted webmail client.

Takeaway: In trying to balance the expectations of new users and experienced users of encrypted email, make information about what is being encrypted available when users look for it, with greater or lesser detail depending on the use case. An extra warning is in order when there is a risk users will accidentally send messages in the clear.

About these user tests

I conducted three user tests of Pixelated, an encrypted, browser-based email client, at the Chaos Communications Camp in August 2015, and three at the Internet Freedom Festival in March 2016. Participants were primarily European…

Activity: Usability testing on a mobile VPN for circumventing censorship.
Simple, well-translated language is critical to users’ first impressions of a tool.

Psiphon is a secure VPN which allows users to tunnel either their whole device or just the traffic in their browser. It is currently available for Android and for Windows and Linux desktops. Psiphon makes it possible for users in censored regimes to get their software by sending an email to, which auto-responds by sending copies of the software.

This report makes references to
annotated screenshots of the Psiphon Android interface
and a
mockup of proposed changes to…

Gus Andrews

Security and usability researcher and designer. Past portfolio:

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store