Information security and privacy suffer from the same phenomenon we see in the fight against COVID-19: the “I did my own research” syndrome. Many security and privacy practices are things learned second or third hand, based on old books or things we have seen on television, or they are the result of learning the wrong lessons from an experience. personal.
I call these things “popular cyber medicine”. And over the past few years, I’ve found myself trying to break these habits in friends, family, and random members of the public. Some cyber practices are harmless or may even provide a little ancillary protection. Others give you a false sense of protection while actively weakening your privacy and security. Yet some of these beliefs have become so prevalent that they have become company policy.
I asked this question to friends on InfoSec Twitter: “What’s the dumbest safety tip you’ve ever heard? ”Many of the answers were already on my substantial list of mythological countermeasures, but there were others that I had forgotten or not even considered. And apparently, some people (or companies … or even salespeople! ) have decided on these bad ideas. are canon.
If I repeat myself from previous articles, it’s only because I keep hearing this bad advice over and over. This article will unfortunately not eliminate these practices – they are so ingrained in culture that they will continue to be transmitted and practiced religiously until the technological weaknesses that allow them to exist have faded in antiquity. But together we can at least try to end the insanity of those in our circles of influence.
Myth: You’ll change your password every 30 days
Password rotation every 30 days
– MrR3b00t | hack the gibson (@UK_Daniel_Card) November 14, 2021
Passwords have been a part of computer security since 1960, when Fernando Corbató added passwords for personal files to MIT’s Compatible Time Sharing System (CTSS). And almost immediately they became, as Corbato himself admitted, “a nightmare”. Since then, all kinds of bad advice (and bad company policies) have been spread on how to use, manage, and change passwords.
Technological limits have been the main thing in the past that dictated password policy – limits on the number and type of characters, for example. The weak security of short passwords has led to policies requiring passwords to be changed frequently. But modern operating systems and security systems have made the whole dance of short-to-frequent password-changing obsolete, right?
Apparently not. Not only have these traditional methods continued to be used to connect to personal computers at work, they have also been incorporated into consumer services on the web. Some banking and e-commerce sites have strict maximum sizes for passwords. And, possibly due to poor software design and fear of cross-site scripting or SQL injection attacks, some services also limit the types of characters that can be used in passwords. I guess it’s just in case someone wants to use the password “password”); DROP TABLE users; – “or something.
“We limit our passwords to 12 characters so you don’t forget them”
– Graham Helton (@ GrahamHelton3) November 14, 2021
Whether it’s a password or PIN, policies that limit length or characters weaken complexity and security. Long passwords with characters such as spaces and punctuation marks are more memorable than arbitrary numbers or word morphs. Microsoft’s definition of a PIN is essentially a hardware-specific password that controls device access and login information based on the black magic of the Trusted Platform Module; a four-digit PIN code for device access is no more secure than a letter-and-number-based PIN code if someone has stolen your computer and typed it at will.
Choose a password that is long and complex enough for a personal or work computer, and you should only need to change it if it has been shared or stolen by someone else. Changing passwords every 30 days only makes passwords harder to remember and may lead people to develop bad workarounds for creating passwords that result in weaker passwords. , for example, by incrementing the numbers at the end:
- … you can see where this madness is leading
So choose a complex but memorable password for your computer or phone login, as XKCD suggests (but don’t use the comic book one, generate one with Diceware!). Do not reuse it elsewhere. And don’t change it unless you have to.
Myth: don’t write it down!
Many of us have seen the worst-case scenario in password management: passwords on sticky notes stuck to monitors in cubicles, just waiting to be abused. This habit has led many future security mentors to shout, “Don’t write down your passwords! “
Except you probably should write them down, but not on a post-it note in your cabin. Many two-factor authentication services actually make it easier to print and save recovery codes in case you lose access to your second-factor app or device, for example. And you can’t save device passwords in a password manager, can you?
“Don’t put your password in your wallet.” You literally have to kick my ass to get it. Much louder than the notepad.
– Patrick Kelley (@ PKELLEY2600) November 14, 2021
Some people insist on writing the passwords in a notebook (Hello, Mom!). Never tell these people they’re wrong, but to do encourage them to do so alone for passwords that cannot be stored in a password manager or that may be needed to recover backups and services if a device is damaged or lost, for example, if you have an Apple ID. You want these high value passwords to be complex and memorable, but they are rarely used, so they can be more easily forgotten. Go ahead, write them down. And then put the written passwords (and your 2FA recovery codes!) In a non-public, secure place that you can access when the going goes wrong.
The is something you shouldn’t do with passwords, however, and which keeps them in a text file or other unencrypted format. In a recent intrusion incident that I was reviewing, one of the first things the criminals managed to do was find a file called
Password List.xlsx. You can imagine how things turned out from there. And apparently this happens regularly in some companies:
My company does a large internal security audit.
First step? Everyone puts the IP addresses and root passwords of all your machines into Excel templates and downloads them so that IT can log in and check your patch level.
– The absence of it (@ LackThere0f) November 5, 2021
Now, if these files were password protected Office documents, there would be at least some hope, since Office uses AES encryption and does extensive SHA-1 shuffling of passwords to generate the keys in newer versions. In cases where you cannot store passwords in a password manager but need to keep track of them, this is an acceptable level of security in most cases.
Myth: 2FA is 2 scary 4 me
SMS 2FA is not secure. Better not to have 2FA at all.
– Jerry Aldrich (@jerryaldrichiii) November 14, 2021
I am a strong believer in two-factor authentication (“2FA”) as a way to protect login credentials; this has saved me a few times from getting hacked into accounts after vendor breaches revealed my passwords. (There was also a time when I lost access to an email account because a domain name provider decided not to automatically renew my personal domain and instead sold it to an operator. scam blog. I’ll let you guess which registrar messed me up this way.) But I often see people deciding not to use 2FA because they’ve seen somewhere that 2FA via SMS is less secure, but they don’t Haven’t seen the other party regarding using an authenticator app or other method instead if possible. And then they mistakenly came to the conclusion that 2FA is more secure than 2FA with SMS.
Let me be clear: all 2FA is better than no 2FA. And with the usual types of brute force attempts attackers make against common cloud services, all 2FA will make about 90% of these attempts completely unsuccessful (and the remaining 10% will simply result in a potentially recoverable denial of service). You definitely want some form 2FA on an Amazon account or anything related to your purchase information, regardless of the type of 2FA.
But just having 2FA isn’t a guarantee that someone won’t be able to get what they want. Some phishing attacks are now able to bypass two-factor authentication by using 2FA “passthrough” attacks:
“You have to trust push-based 2FA because you know you’ve just entered your password. “
“And how do I know that an attacker didn’t enter at the same time?” “
“How would an attacker know your password?” “
– Ankit Pati (@nkitpati) November 14, 2021
If you receive an email with a link that takes you to a website asking for your credentials, and then you receive a 2FA alert for your connection, that doesn’t necessarily mean the link was legitimate and you must give the code or press the “approve button”. This could be an attempt to simply get the attacker to help you. Look carefully at this link. Then call your security team, maybe. (My current employer’s security team tries to phish me 2FA two or three times a month these days.)
So use 2FA. But be careful with your connection requests and don’t approve weird requests.