N. Aykin (Ed.): Usability and Internationalization, Part II, HCII 2007, LNCS 4560, pp. 476–485, 2007. © Springer-Verlag Berlin Heidelberg 2007 Security Design Based on Social and Cultural Practice: Sharing of Passwords Supriya Singh 1 , Anuja Cabraal 1 , Catherine Demosthenous 2 , Gunela Astbrink 3 , and Michele Furlong 4 1 Smart Internet Technology Cooperative Research Centre/RMIT University, GPO Box 2476V, Melbourne 3001, Australia {Supriya.singh,anuja.cabraal}@rmit.edu.au 2 Smart Internet Technology Cooperative Research Centre 3 Smart Internet Technology Cooperative Research Centre/GSA Information Consultants, GSA Information Consultants PO Box 1141, Toowong, QLD, 4066, Australia g.astbrink@gsa.com.au 4 Smart Internet Technology Cooperative Research Centre/GSA Information Consultants, GSA Information Consultants, PO Box 1141,Toowong, QLD, 4066, Australia mfurlong@iinet.net.au Abstract. We draw on a qualitative study of 108 people to examine the routine sharing of passwords for online banking among married and de facto couples, Aboriginal users and people with disability in Australia. The sharing of passwords goes against current banking authentication systems and consumer protection laws that require customers not to reveal their access codes to anybody, including family members. The everyday violation of these security requirements results from the lack of fit between security design and social and cultural practice, rather than a lack of security awareness. We argue for the need to go beyond individualistic user-centered design, so that social and cross- cultural practices are at the centre of the design of technologies. The need for a social and culturally centered approach to design is even more important when dealing with different notions of privacy across cultures and a culture of shared use in public and private spaces. Keywords: Banking; security; Australia; sharing passwords, social and cultural centered design, privacy across cultures. 1 Introduction Banking security design assumes an individual keeps his or her access codes confidential while conducting Internet transactions using a personal computer. In this paper we argue that these assumptions are against common social and cultural practices. There are multiple situations where the individual shares access codes particularly with members of the family. Internet transactions are also not always conducted on a personal computer, whether at home or in the work place. Hence we