If you've ever felt baffled by the computer security instructions provided at your workplace, you're not alone. A recent study underscores a fundamental issue in the crafting of these guidelines and suggests straightforward measures to enhance them – likely leading to better computer safety. The
The key takeaway here is that the people writing these guidelines try to give as much information as possible,” Reaves says. “That’s great, in theory. But the writers don’t prioritize the advice that’s most important. Or, more specifically, they don’t deprioritize the points that are significantly less important. And because there is so much security advice to include, the guidelines can be overwhelming – and the most important points get lost in the shuffle.
In other words, the guideline writers are compiling security information, rather than curating security information for their readers.
Drawing on what they learned from the interviews, the researchers developed two recommendations for improving future security guidelines.
First, guideline writers need a clear set of best practices on how to curate information so that security guidelines tell users both what they need to know and how to prioritize that information.
Second, writers – and the computer security community as a whole – need key messages that will make sense to audiences with varying levels of technical competence.
“Look, computer security is complicated,” Reaves says. “But medicine is even more complicated. Yet during the pandemic, public health experts were able to give the public fairly simple, concise guidelines on how to reduce our risk of contracting COVID. We need to be able to do the same thing for computer security.”
Did they live through the same pandemic I did? Because I distinctly remembering that “simple” advice apparently being too confusing for a huge portion of the population.
The advice these days on computer security is simple too: Use a password manager and let it make a unique password for every site and don’t tell anyone your password.
Of course in the tech world we immediately have a lot of sites that make that impossible, frequently starting with the ones that should be the most secure, your banks and your phone.
Covid advice was simple, people understood it but many didn't comply because they didn't find it convenient. There were also covid-deniers, and people who significantly underestimated it. There were people who found corporate cyber security measures inconvenient too in the places I worked, but ignorance was I think always the more important reason.
I also think it isn't enough for the advice to be simple, it should be somewhat easy to apply. "Don't fall into phishing emails". Sure, but how? Then it lists a bunch of tricks and hints and people can rarely remember all, and apply while they go through tens of emails daily. I think this is the message from the article.
Advice against phishing emails can be reduced to, "1: Never click on a link, call a phone number, download an attachment, or follow instructions you found in an email unless you were already expecting this exact email from this exact sender. 2: If you really want to do those things, search up the organization's website directly and use the contact info they provide there instead."
imo it's the ad-hungry articles stretching everything into 10+ pages that's making advice so inaccessible to people. Super annoying because it dilutes the real, simple message that's already there, it's just locked behind an adwall.
It’s pretty amazing how many people still remember and reuse passwords for everything. I think it is still as simple as people haven’t heard of password managers or they’re just too overwhelmed with adding all of their passwords to a password manager and then changing them to something unique.
If you work at a company that provides a password manager, then it's an easy choice for your work-related passwords. For personal stuff, though? There's nothing out there I feel comfortable recommending that isn't a pain in the ass.
Cloud services are mostly bullshit. LastPass got hacked hard earlier this year. OnePassword is no better. BitWarden is maybe better but self-hosting is obviously too high a bar and if you use their cloud service then you're still giving all your passwords to a third party.
And then if you actually want it to be convenient you need browser plugins. Nah.
Offline solutions like Keepass are great but then you need to find a way to manually sync them across devices. Pick your poison.
One problem is that a great deal of correct security advice contradicts "common knowledge" security practices. Password character classes -- "must include capitals, lowercase, numbers, and symbols" -- are a standard example. That idea got rooted in security requirements for banks and such, and it was a bad idea even then.
But getting rid of that idiocy looks, to the casual observer, like "weakening password requirements".
Another problem is that the biggest security vulnerability that many businesses have is obedience to authority. If you can "social-engineer" someone into thinking you're the big boss, then of course they'll turn off all the security for you. And the scarier the big boss is, the more eager the underlings are to please them by doing exactly what the email from bigboss@yourcopmany.com says.
Resistance to phishing is questioning claims of authority; it requires being willing to tell the big boss that no you won't take the security down in response to an email, even a really convincing one. Which means that the worker has to be safe in doing so.
One problem is that a great deal of correct security advice contradicts “common knowledge” security practices. Password character classes – “must include capitals, lowercase, numbers, and symbols” – are a standard example. That idea got rooted in security requirements for banks and such, and it was a bad idea even then.
I don't know a lot about computer security - but must include capitals, lowercase, numbers, etc seems like a good idea, why is it not?
Longer pass-phrases are easier to remember, and more secure than shorter pass-words with numbers and symbols.
If you're using a password manager, make them long, with numbers and symbols also.
Still fairly new to the world of computer security myself, so anyone can feel free to correct me of course, but basically;
While adding capitals, lowercase, numbers, etc does make the password more complex, it also makes it harder for the average user to remember. This means that many users reuse the same password across multiple sites/platforms. Or they use shorter passwords with common tricks like Pa$$word1. That checks all the requirements for a "secure" password but it really isn't. Hackers know that people use $ in place of S, people often use some variation of "password" in their password, and the number is usually a 1 or something easily guessable like the year they were born.
So the more up to date recommendation is to use a long and strong password (like at least 12 characters long), or a password manager and 2FA.
TLDR: number of possible passwords is x^y where x is the size of your alphabet and y is the password length. Increasing y is better than increasing x.
It's not immediately obvious, but it is pretty straightforward math. It has to do with password length vs alphabet size.
Let's look at an 8 letter lowercase only password. Each time you increase the minimum length, you increase the maximum number of passwords by 26 (the number of letters in the alphabet). So it would be 26x26x26x26x26x26x26x26 or 26^8 which is 208,827,064,576. This is a lot of passwords, but pretty easy for a computer to brute force.
Let's add the ! symbol. This means there are 27 options or 27^8. The total number of passwords is now 282,429,536,481. A bigger number, but not by much.
If we only have lowercase letters but increase it to 9 letters long, then it increases to 26^9 which equals 5,429,503,678,976. We've jumped from millions of passwords to billions with passwords only 1 character more.
If you allow all symbols and numbers, but also increase minimum length, you get the best of both without creating difficult to remember passwords.
This of course ignores the primary way people get past passwords: by asking the user for their password. It also ignores that an intruder is going to check the most common passwords and not just try them all. Adding numbers and symbols doesn't really change the most common passwords though, since dragon just turns into Dragon1!