reader comments
290 with 155 posters participating, including story author
View more stories
Information security and privacy suffer from the same phenomenon we see in fighting COVID-19: “I’ve done my own research” syndrome. Many security and privacy practices are things learned second- or third-hand, based on ancient tomes or stuff we’ve seen on TV—or they are the result of learning the wrong lessons from a personal experience.
I call these things “cyber folk medicine.” And over the past few years, I’ve found myself trying to undo these habits in friends, family, and random members of the public. Some cyber folkways are harmless or may even provide a small amount of incidental protection. Others give you a false sense of protection while actively weakening your privacy and security. Yet some of these beliefs have become so widespread that they’ve actually become company policy.
I brought this question to some friends on InfoSec Twitter: “What’s the dumbest security advice you’ve ever heard?” Many of the replies were already on my substantial list of mythological countermeasures, but there were others that I had forgotten or not even considered. And apparently, some people (or companies… or even vendors!) have decided these bad ideas are canon.
If I’m repeating myself from previous articles, it’s only because I keep hearing these bad pieces of advice. This article won’t eradicate these practices, sadly—they’re so embedded in culture that they will continue to be passed down and practiced religiously until the technological weaknesses that allow them to exist have faded into antiquity. But together we can at least try to end the madness for those in our circles of influence.
Myth: Thou shalt change thy password every 30 days
Rotate passwords every 30 days
— MrR3b00t | hacking the gibson (@UK_Daniel_Card) November 14, 2021
Passwords have been part of computer security since 1960, when Fernando Corbató added passwords for personal files to MIT’s Compatible Time-Sharing System (CTSS). And almost immediately, they became, as Corbató himself admitted, “a nightmare.” Since then, all sorts of bad advice (and bad corporate policy) has been disseminated about how to use, manage, and change passwords.
Technology limits have in the past been the main thing dictating password policy—limits on the number and type of characters, for example. The low security of short passwords led to policies that required that passwords be frequently changed. But modern operating systems and security systems have made the whole short-password-versus-frequent-password-change dance obsolete, right?
Apparently not. Not only have these folkways continued to be used to log in to personal computers at work, but they’ve been integrated into consumer services on the web—some banking and e-commerce sites have hard maximum sizes for passwords. And—likely because of poor software design and fear of cross-site scripting or SQL injection attacks—some services also limit the types of characters that can be used in passwords. I guess that’s just in case someone wants to use the password “password’); DROP TABLE users;–” or something.
November 14, 2021
Regardless of whether we’re talking about a password or a PIN, policies that limit length or characters weaken complexity and security. Long passwords with characters such as spaces and punctuation marks are more memorable than arbitrary numbers or leetspeak morphs of words. Microsoft’s definition of a PIN is, essentially, a hardware-specific password that controls device access and login credentials based on Trusted Platform Module black magic; a four-digit PIN for device access is not more secure than one based on letters and numbers if someone has stolen your computer and is banging away on it at their leisure.
Pick a sufficiently long and complex password for a personal or work computer, and you should only have to change it if it’s been shared with or stolen by someone else. Changing passwords every 30 days only makes passwords harder to remember and can cause people to develop bad password-creation workarounds that result in weaker passwords—for example, by incrementing numbers at the end of them:
- Pa55w0rd1
- Pa55w0rd2
- Pa55w0rd3
- …you can see where this madness leads
So pick one complex but memorable password for your computer login or your phone, like XKCD suggests (though don’t use the one in the comic—maybe generate one with Diceware!). Don’t reuse it anywhere else. And don’t change it unless you have to.
Myth: Don’t write it down!
Many of us have seen the worst-case scenario in password management: passwords on Post-it notes stuck to monitors in cubicle-land, just waiting to be abused. This habit has led many a would-be security mentor to cry out, “Don’t write down your passwords!”
Except you probably should write them down—just not on a Post-it in your cubicle. Many two-factor authentication services actually promote printing and saving recovery codes in the event you lose access to your second-factor app or device, for example. And you can’t save device passwords in a password manager, can you?
“Don’t put your password in your wallet.” You will literally have to kick my ass to get it. Heck of a lot stronger than notepad.
— Patrick Kelley (@PKELLEY2600) November 14, 2021
Some people insist on writing passwords in a notebook (Hi, Mom!). Never tell these people they’re wrong, but do encourage them to do this only for passwords that can’t be stored in a password manager or might be needed to recover backups and services if a device is damaged or lost—for example, if you have an Apple ID. You want these high-value passwords to be complex and memorable, but they’re used infrequently, so they may be more easily forgotten. Go ahead, write them down. And then put the written passwords (and your 2FA recovery codes!) in a nonpublic, safe place you can access when things go awry.
November 5, 2021
