March 23, 2026

Eight clicks before coffee

Article URL →HN comments →

Study: 'Security Fatigue' May Weaken Digital Defenses

Workers cry “enough!” to nonstop logins—security lockdowns vs sanity

TLDR: A new study says constant security demands exhaust workers and make them ignore rules, weakening defenses. Commenters erupted with “we told you,” sharing tales of overkill logins and red tape, and pushing for simpler, almost invisible security that protects without punishing productivity.

A new University at Albany study says the quiet part out loud: constant pop‑ups, password rules, and trainings can burn people out and make them worse at security. The internet’s reaction? “Finally!” Commenters piled in with war stories and eye rolls, turning the thread into group therapy for the over‑authenticated.

One camp shouted that this has been obvious for years. User dijit pointed to NIST’s guidance dropping forced password resets because “people pay lip service” when security is too annoying. At big‑tech scale, compiler‑guy said the lockdowns are so intense that folks now request permissions before they even know they need them, just to beat the bureaucracy. Others, like gz5, pushed a solution: make security “as invisible as possible” — build it into the system so users barely notice.

The comedy highlight came from donatj, who claims logging into GitHub now takes “eight clicks and a solid minute,” thanks to 2FA (two‑step codes) and SSO (one account to sign into everything). Cue the meme: “eight clicks before coffee.” Meanwhile, ctxc shrugged: “Fairly obvious?” The study, published in the European Journal of Information Systems, lands as a vibe check: simplify, support, and stop treating everyday apps like Fort Knox — or watch tired employees tune out

Key Points

  • A study led by University at Albany identifies “security fatigue,” where repeated cybersecurity demands cause emotional exhaustion and disengagement.
  • The research, published in the European Journal of Information Systems, surveyed nearly 300 full-time U.S. employees.
  • Security fatigue is most likely when security requirements interfere with employees’ primary job duties.
  • Higher security self-efficacy and better understanding of cybersecurity risks correlate with sustained compliance despite fatigue.
  • Recommended mitigations include training, simplifying processes, integrating security into workflows, and providing technical support.

Hottest takes

"people pay lip service to security if it is too inconvenient" — dijit
"now people ask for permissions to systems or procedures preemptively" — compiler-guy
"eight clicks and a solid minute" — donatj

Save News

Made with <3 by @siedrix and @shesho from CDMX. Powered by Forge&Hive.