Information security and privacy suffer from the same phenomenon that we see in the fight against COVID-19: “I did my own research” syndrome. Many security and privacy practices are learned second or third hand based on ancient tomes or things we saw on television – or they are the result of false lessons from personal experience.
I call these things “cyber folk medicine”. And for the past few years I’ve tried to reverse these habits among friends, family, and casual members of the public. Some cyber followways are harmless or may even offer a small amount of random protection. Others give you a false sense of protection while weakening your privacy and security. However, some of these beliefs are so widespread that they have actually become company policy.
I asked this question to some friends on InfoSec Twitter: “What’s the stupidest security council you’ve ever heard? “Many of the answers were already on my extensive list of mythological countermeasures, but there were others that I forgot or hadn’t even considered. And apparently some people (or companies … or even vendors!) Are canon.
If I repeat myself from previous articles, it is only because I keep hearing this bad advice. Unfortunately, this article is not going to eradicate these practices – they are so embedded in culture that they are passed down and practiced religiously until the technological weaknesses that enable their existence to fade away in ancient times. But together we can at least try to end the madness for those in our circles of influence.
Myth: You should change your password every 30 days
Rotate passwords every 30 days
– MrR3b00t | hack the Gibson (@UK_Daniel_Card) November 14, 2021
Passwords have been part of computer security since 1960 when Fernando Corbató added Passwords for personal files to the compatible time sharing system (CTSS) of MIT. And almost immediately, as Corbató himself admitted, they became “a nightmare”. Since then, all kinds of bad advice (and bad company policies) about using, managing, and changing passwords have been spread.
In the past, technological restrictions were particularly important when defining password policies – for example, restrictions on the number and type of characters. The poor security of short passwords led to policies that required frequent password changes. But modern operating systems and security systems have made the whole dance between short passwords and frequent password changes obsolete, haven’t they?
Apparently not. Not only did these folkways continue to be used to log in to work on PCs, but they have also been incorporated into consumer services on the Internet – some banking and e-commerce sites have fixed maximum sizes for passwords. And – probably because of poor software design and fear of cross-site scripting or SQL injection attacks – some services also restrict the types of characters that can be used in passwords. I think this is just in case someone wants to use the password “Password’); DROP TABLE user; –” or so.
“We limit our passwords to 12 characters so you don’t forget them”
– Graham Helton (@ GrahamHelton3) November 14, 2021
Regardless of whether it is a password or a PEN, Guidelines that limit length or characters weaken complexity and security. Long passwords with characters like spaces and punctuation marks are more memorable than random numbers or leetspeak morphs. Microsoft’s definition of a PIN is essentially a hardware-specific password that controls device access and credentials based on the black magic of the Trusted Platform Module. a four-digit device access PIN is no more secure than a letter and number if someone has stolen your computer and is quietly pounding on it.
Choose a sufficiently long and complex password for a personal or business computer and you should only need to change it if it has been shared with someone else or stolen by someone else. Changing passwords every 30 days only makes it harder to remember passwords and can lead users to develop workarounds for creating incorrect passwords that result in weaker passwords – for example, by incrementing numbers at the end:
- … you can see where this madness is leading
So choose a complex but memorable password for your computer login or phone. as XKCD suggests (but don’t use the one in the comic – maybe generate one with it Cubes!). Don’t use it anywhere else. And don’t change it unless you have to.
Myth: don’t write it down!
Many of us are familiar with the worst-case scenario in password management: passwords on post-it notes stuck to monitors in the cabin area, just waiting to be misused. This habit has led many would-be security mentors to scream, “Don’t write your passwords down!”
Except you probably should write them down – just not on a post-it in your office. Many two-factor authentication services encourage the printing and saving of recovery codes in the event, for example, you lose access to your second-factor app or device. And you can’t save device passwords in a password manager, can you?
“Don’t put your password in your wallet.” You’re literally going to have to kick my ass to get it. A hell of a lot stronger than Notepad.
– Patrick Kelley (@ PKELLEY2600) November 14, 2021
Some people insist on writing passwords in a notebook (hello, mom!). Never tell these people that they are wrong, but to do encourage them to do so only for passwords that cannot be stored in a password manager or are needed to restore backups and services if a device is damaged or lost, for example if you have an Apple ID. You want these high quality passwords to be complex and memorable, but they’re rarely used so they’re easier to forget. Come on, write them down. And then put the written passwords (and your 2FA recovery codes!) In a non-public, secure place that you can access if something goes wrong.
there is however, something you shouldn’t be doing with passwords and that is to keep them in a text file or some other unencrypted format. In a recent break-in incident that I was looking at, one of the first things the criminals did was find a file called. to find
Password List.xlsx. You can imagine how it went on there. And apparently this happens regularly at some companies:
My company is doing a large internal security audit.
First step? Everyone puts the IPs and root passwords of all your machines in Excel templates and uploads them for IT to log in and check your patch level.
– The lack of it (@ LackThere0f) November 5, 2021
If these files were now password-protected Office documents, there would at least be hope – since Office uses AES encryption and in newer versions does some serious SHA-1 mixes of passwords to generate the keys. In cases where you can’t store passwords in a password manager but need to keep track of them, this is an acceptable level of security in most cases.
Myth: 2FA is 2 scary 4 me
SMS 2FA is not secure. You’re better off not having 2FA at all.
– Jerry Aldrich (@jerryaldrichiii) November 14, 2021
Security questions count as 2FA
– (@ 0xluka) November 15, 2021
I’m a big believer in using two-factor authentication (“2FA”) to protect credentials. It saved me from being hacked a couple of times after vendor breaches revealed my passwords. (There was also the one time I lost access to an email account because a domain name provider decided not to auto-renew my personal domain and instead sold it to a fraudulent blog owner I’ll leave you to guess which registrar got me dirty this way.) But I often see people who choose not to use 2FA because they’ve seen somewhere that 2FA is less secure via SMS, but they didn’t see the other part about using an authentication app or other method if possible. And then they mistakenly concluded that not using 2FA is more secure than 2FA with SMS.
Let me be clear: any 2FA is better than no 2FA. And with the usual brute force attacks that attackers use against common cloud services, any 2FA will render about 90 percent of these attempts completely unsuccessful (and the other 10 percent of the time only result in a potentially recoverable denial of service). You definitely want to some Form of 2FA on an Amazon account or anything related to your purchase information, no matter what type of 2FA it is.
But having only 2FA isn’t a guarantee that someone won’t get what they want. Some phishing attacks now bypass two-factor authentication by using 2FA “pass-through” attacks:
“You should trust push-based 2FA because you know you’ve just entered your password.”
“And how do I know that an attacker didn’t intrude at the same time?”
“How should an attacker know your password?”
– Ankit Pati (@nkitpati) November 14, 2021
If you received an email with a link that took you to a website requesting your login information and then you received a 2FA notification to sign up, it doesn’t necessarily mean the link was legitimate and you are entering the code or click the “approve” button. This could be an attempt for you to simply help the attacker. Take a close look at this link. Then maybe you give your security team a call. (My current employer’s security team tries to phishing me through 2FA two or three times a month these days.)
So use 2FA. But watch out for your login requests and don’t approve any strange requests.
This article was previously published on Source link