Information security and privacy suffer from the same phenomenon we see in the fight against COVID-19: the “I’ve done my own research” syndrome. Many security and privacy practices are things that are learned second or third hand, based on old volumes or things we have seen on television, or they are the result of learning the wrong lessons from personal experience.
I call these things “cyber folk medicine.” And in recent years, I have found myself trying to undo these habits in friends, family, and random members of the public. Some cyber customs are harmless or may even provide a small amount of incidental protection. Others give you a false sense of protection while actively undermining your privacy and security. However, some of these beliefs have become so widespread that they have actually become company policy.
I took this question to some friends on InfoSec Twitter: “What’s the dumbest security tip you’ve ever heard?? “Many of the answers were already on my substantial list of mythological countermeasures, but there were others that I had forgotten or had not even considered. And apparently, some people (or companies … or even suppliers!) Have decided on these bad ideas. They are canon.
If I repeat myself from previous articles, it’s only because I keep hearing this bad advice. This article will not eradicate these practices, sadly they are so ingrained in culture that they will continue to be transmitted and practiced religiously until the technological weaknesses that allow them to exist have faded into ancient times. But together we can at least try to end the madness of those in our circles of influence.
Myth: You will change your password every 30 days
Rotate passwords every 30 days
– MrR3b00t | hack the gibson (@UK_Daniel_Card) November 14, 2021
Passwords have been a part of computer security since 1960, when Fernando Corbató additional passwords for personal files to the MIT Compatible Timeshare System (CTSS). And almost immediately, they became, as Corbató himself admitted, “a nightmare.” Since then, all sorts of bad advice (and bad corporate policies) have been spreading on how to use, manage, and change passwords.
In the past, the limits of technology have been the main driving force behind password policy; for example, limits on the number and type of characters. The low security of short passwords led to policies that required passwords to be changed frequently. But modern operating systems and security systems have made the whole short password dance versus frequent password change obsolete, right?
Apparently not. Not only have these traditional methods of logging into personal computers at work continued, but they have also been integrated into consumer services on the web; some banking and e-commerce sites have strict maximum sizes for passwords. And, probably due to poor software design and fears of cross-site scripting or SQL injection attacks, some services also limit the types of characters that can be used in passwords. I guess it’s just in case someone wants to use the password “password’); DROP TABLE users; –” or something.
“We limit our passwords to 12 characters so you don’t forget them”
– Graham Helton (@ GrahamHelton3) November 14, 2021
Regardless of whether we are talking about a password or PIN, policies that limit length or characters weaken complexity and security. Long passwords with characters like spaces and punctuation marks are more memorable than arbitrary numbers or leetspeak word variants. Microsoft’s definition of a PIN is essentially a hardware-specific password that controls device access and login credentials based on the black magic of the Trusted Platform Module; A four-digit PIN for device access is no more secure than one based on letters and numbers if someone has stolen your computer and is beating it up in their spare time.
Choose a password long and complex enough for a personal or work computer, and you should only have to change it if it has been shared or stolen by someone else. Changing passwords every 30 days only makes passwords harder to remember and can lead people to develop workarounds for creating bad passwords that result in weaker passwords, for example increasing the numbers at the end of them:
- … you can see where this madness leads
Choose a complex but memorable password for your computer or phone login, as XKCD suggests (even though I don’t use the one from the comic, maybe I’ll generate one with Diceware!). Do not reuse it anywhere else. And don’t change it unless necessary.
Myth: Don’t write it down!
Many of us have seen the worst case scenario in password management: passwords on Post-it notes taped to cubicle-ground monitors, waiting to be abused. This habit has led many aspiring security mentors to yell, “Don’t write down your passwords!”
Except you probably should write them down, but not on a post-it in your cubicle. Many two-factor authentication services actually promote the printing and storage of recovery codes in case you lose access to your second-factor app or device, for example. And you can’t save device passwords in a password manager, right?
“Don’t put your password in your wallet.” You will literally have to kick my ass to get it. Much stronger than the notepad.
– Patrick Kelley (@ PKELLEY2600) November 14, 2021
Some people insist on writing passwords in a notebook (Hi Mom!). Never tell these people that they are wrong, but do encourage them to do this only for passwords that cannot be stored in a password manager or that may be required to recover backups and services if a device is damaged or lost, for example if you have an Apple ID. You want these high-value passwords to be complex and easy to remember, but they are used infrequently so they can be more easily forgotten. Go ahead and write them down. And then put the written passwords (and your 2FA recovery codes!) In a safe, non-public place that you can access when things go wrong.
There it is However, one thing you should not do with passwords is keep them in a text file or other unencrypted format. In a recent intrusion incident that I was reviewing, one of the first things criminals managed to do was find a file called
Password List.xlsx. You can imagine how things went from there. And apparently this happens on a regular basis in some companies:
My company is conducting a large internal security audit.
First step? They all put the IP addresses and root passwords of all their machines into Excel templates and upload them so IT can log in and check their patch level.
– The lack of it (@ LackThere0f) November 5, 2021
Now if these files were password-protected Office documents, there would at least be some hope, as Office uses AES encryption and does a serious shuffling of SHA-1 passwords to generate the keys in newer versions. In cases where you cannot keep passwords in a password manager, but need to keep track of them, this is an acceptable level of security in most cases.
Myth: 2FA scares me 2
SMS 2FA is not secure. It is better not to have 2FA at all.
– Jerry Aldrich (@jerryaldrichiii) November 14, 2021
I’m a big proponent of two-factor authentication (“2FA”) as a way to protect login credentials; It has saved me a few times from having my accounts hacked after vendor breaches revealed my passwords. (There was also a time when I lost access to an email account because a domain name provider decided not to automatically renew my personal domain and instead sold it to a scam blog operator. I’ll let you guess which one. logger messed me up like that). But I often see people who decide not to use 2FA because they saw somewhere that 2FA via text message is less secure, but they didn’t see the other side about using an authentication app or other method instead if possible. And then they came to the wrong conclusion that 2FA is more secure than 2FA with SMS.
Let me be clear: some 2FA is better than no 2FA. And with the usual types of brute force attempts attackers make against common cloud services, some 2FA will make about 90 percent of these attempts totally unsuccessful (and the other 10 percent of the time will only result in a potentially recoverable denial of service). You definitely want Some form of 2FA on an Amazon account or anything that has some link to your purchase information, no matter what type of 2FA it is.
But having 2FA is no guarantee that someone won’t get what they want. Some phishing attacks are now managing to bypass two-factor authentication by using 2FA “pass-through” attacks:
“You have to trust push-based 2FA because you know you just entered your password.”
“And how do I know that an attacker has not entered at the same time?”
“How would an attacker know your password?”
– Ankit Pati (knkitpati) November 14, 2021
If you receive an email with a link that takes you to a website that asks for your credentials, and then you receive a 2FA alert for your login, that does not necessarily mean that the link is legitimate and that you must provide the code or touch the “approve” button. This could be an attempt for you to simply help the attacker. Take a look at that link. Then call your security team, maybe. (My current employer’s security team tries to impersonate 2FA two or three times a month these days.)
So use 2FA. But be mindful of their login requests and don’t approve of weird ones.