Security may be compromised when humans make mistakes at the user interface. Cleartext is mistakenly sent to correspondents, sensitive files are left unprotected, and erroneously configured systems are left vulnerable to attackers. Such mistakes may be blamed on human error, but the regularity of human error suggests that mistakes may be preventable through better interface design. Certain user interface constructs drive users toward error, while others facilitate success. Two security-sensitive user interfaces were evaluated in a laboratory user study: the Windows XP file-permissions interface and an alternative interface, called Salmon, designed in accordance with an error-avoiding principle to counteract the misleading constructs in the XP interface. The alternative interface was found to be more dependable; it increased successful task completion by up to 300%, reduced commission of a class of errors by up to 94%, and provided a nearly 3x speed-up in task completion time. Moreover, users spent less time searching for information with the alternative interface, and a greater proportion of time on essential task steps. An explanatory theory in its early stages of development is presented.