Keep it Simple

While it is tempting to build elaborate and complex security controls, the reality is that if a security system is too complex for its user base, it will either not be used or users will try to find measures to bypass it. Often the most effective security is the simplest security. Do not expect users to enter 12 passwords and let the system ask for a random number password for instance! This message applies equally to tasks that an administrator must perform in order to secure an application. Do not expect an administrator to correctly set a thousand individual security settings, or to search through dozens of layers of dialog boxes to understand existing security settings. Similarly this message is also intended for security layer API's that application developers must use to build the system. If the steps to properly secure a function or module of the application are too complex, the odds that the steps will not be properly followed increase greatly.