This paper argues that simply blaming users for security breaches will not lead to more effective security systems and that security designers must address the causes of undesirable user behaviour to design effective security systems. Focusing on passwords in particular, the paper’s authors conclude that addressing the causes of undesirable security behaviours shouldn’t be too difficult given the knowledge and techniques necessary to do so largely already exist.