Information security and privacy suffer from the same phenomenon we see in fighting COVID-19: “I’ve done my own research” syndrome. Many security and privacy practices are things learned second- or third-hand, based on ancient tomes or stuff we’ve seen on TV—or they are the result of learning the wrong lessons from a personal experience.
I call these things “cyber folk medicine.” And over the past few years, I’ve found myself trying to undo these habits in friends, family, and random members of the public. Some cyber folkways are harmless or may even provide a small amount of incidental protection. Others give you a false sense of protection while actively weakening your privacy and security. Yet some of these beliefs have become so widespread that they’ve actually become company policy.
I brought this question to some friends on InfoSec Twitter: “What’s the dumbest security advice you’ve ever heard?” Many of the replies were already on my substantial list of mythological countermeasures, but there were others that I had forgotten or not even considered. And apparently, some people (or companies… or even vendors!) have decided these bad ideas are canon.
If I’m repeating myself from previous articles, it’s only because I keep hearing these bad pieces of advice. This article won’t eradicate these practices, sadly—they’re so embedded in culture that they will continue to be passed down and practiced religiously until the technological weaknesses that allow them to exist have faded into antiquity. But together we can at least try to end the madness for those in our circles of influence.
Myth: Thou shalt change thy password every 30 days
Rotate passwords every 30 days
— MrR3b00t | hacking the gibson (@UK_Daniel_Card) November 14, 2021
Passwords have been part of computer security since 1960, when Fernando Corbató added passwords for personal files to MIT’s Compatible Time-Sharing System (CTSS). And almost immediately, they became, as Corbató himself admitted, “a nightmare.” Since then, all sorts of bad advice (and bad corporate policy) has been disseminated about how to use, manage, and change passwords.
Technology limits have in the past been the main thing dictating password policy—limits on the number and type of characters, for example. The low security of short passwords led to policies that required that passwords be frequently changed. But modern operating systems and security systems have made the whole short-password-versus-frequent-password-change dance obsolete, right?
Apparently not. Not only have these folkways continued to be used to log in to personal computers at work, but they’ve been integrated into consumer services on the web—some banking and e-commerce sites have hard maximum sizes for passwords. And—likely because of poor software design and fear of cross-site scripting or SQL injection attacks—some services also limit the types of characters that can be used in passwords. I guess that’s just in case someone wants to use the password “password’); DROP TABLE users;–” or something.
“We limit our passwords to 12 characters so you don’t forget them”
— Graham Helton (@GrahamHelton3) November 14, 2021
Regardless of whether we’re talking about a password or a PIN, policies that limit length or characters weaken complexity and security. Long passwords with characters such as spaces and punctuation marks are more memorable than arbitrary numbers or leetspeak morphs of words. Microsoft’s definition of a PIN is, essentially, a hardware-specific password that controls device access and login credentials based on Trusted Platform Module black magic; a four-digit PIN for device access is not more secure than one based on letters and numbers if someone has stolen your computer and is banging away on it at their leisure.
Pick a sufficiently long and complex password for a personal or work computer, and you should only have to change it if it’s been shared with or stolen by someone else. Changing passwords every 30 days only makes passwords harder to remember and can cause people to develop bad password-creation workarounds that result in weaker passwords—for example, by incrementing numbers at the end of them:
- Pa55w0rd1
- Pa55w0rd2
- Pa55w0rd3
- …you can see where this madness leads
So pick one complex but memorable password for your computer login or your phone, like XKCD suggests (though don’t use the one in the comic—maybe generate one with Diceware!). Don’t reuse it anywhere else. And don’t change it unless you have to.
Myth: Don’t write it down!
Many of us have seen the worst-case scenario in password management: passwords on Post-it notes stuck to monitors in cubicle-land, just waiting to be abused. This habit has led many a would-be security mentor to cry out, “Don’t write down your passwords!”
Except you probably should write them down—just not on a Post-it in your cubicle. Many two-factor authentication services actually promote printing and saving recovery codes in the event you lose access to your second-factor app or device, for example. And you can’t save device passwords in a password manager, can you?
“Don’t put your password in your wallet.” You will literally have to kick my ass to get it. Heck of a lot stronger than notepad.
— Patrick Kelley (@PKELLEY2600) November 14, 2021
Some people insist on writing passwords in a notebook (Hi, Mom!). Never tell these people they’re wrong, but do encourage them to do this only for passwords that can’t be stored in a password manager or might be needed to recover backups and services if a device is damaged or lost—for example, if you have an Apple ID. You want these high-value passwords to be complex and memorable, but they’re used infrequently, so they may be more easily forgotten. Go ahead, write them down. And then put the written passwords (and your 2FA recovery codes!) in a nonpublic, safe place you can access when things go awry.
There is something you should not do with passwords, however, and that is keeping them in a text file or other unencrypted format. In a recent intrusion incident I was reviewing, one of the first things the criminals managed to do was find a file called Password List.xlsx. You can imagine how things went from there. And apparently this happens on the regular at some companies:
My company is doing a big internal security audit.
First step? Everyone put the IPs and root passwords of all your machines into excel templates and upload it so that IT can log in and check your patch level.
— The Lack Thereof (@LackThere0f) November 5, 2021
Now, if these files were password-protected Office documents, there’d at least be some hope—since Office uses AES encryption and does some serious SHA-1 shuffling of passwords to generate the keys in more recent versions. In instances when you can’t keep passwords in a password manager but need to keep track of them, this is an acceptable level of security in most cases.
Myth: 2FA is 2 scary 4 me
SMS 2FA is not secure. You’re better off not having 2FA at all.
— Jerry Aldrich (@jerryaldrichiii) November 14, 2021
I’m a major proponent of two-factor authentication (“2FA”) as a way to protect login credentials; it has saved me a few times from having accounts hacked after provider breaches revealed my passwords. (There was also the one time when I lost access to an email account because a domain-name provider decided not to auto-renew my personal domain and instead sold it to a scam blog operator. I’ll leave it to you to guess which registrar did me dirty that way.) But I frequently see people deciding not to use 2FA because they saw somewhere that 2FA via text message is less secure, but they didn’t see the other part about using an authenticator app or other method instead if possible. And then they erroneously reached the conclusion that foregoing 2FA is more secure than 2FA with SMS.
Let me be clear: any 2FA is better than no 2FA. And with the usual types of brute-force attempts attackers make against common cloud services, any 2FA will render about 90 percent of these attempts totally unsuccessful (and the other 10 percent of the time will just result in a potentially recoverable denial of service). You definitely want some form of 2FA on an Amazon account or anything that has any ties to your purchasing information, no matter what kind of 2FA it is.
But just having 2FA is not a guarantee that someone won’t succeed in getting what they want. Some phishing attacks are now managing to get around two-factor authentication by using 2FA “passthrough” attacks:
“You should trust push-based 2FA because you know you’ve just entered your password.”
“And how do I know that an attacker hasn’t entered it at the same time?”
“…”
“How would an attacker know your password?”
“🤦♂️”
— Ankit Pati (@nkitpati) November 14, 2021
If you receive an email with a link that takes you to a website requesting your credentials, and you then get a 2FA alert for your login, that does not necessarily mean that the link was legitimate and that you should give the code or tap the “approve” button. This could be an attempt to simply have you assist the attacker. Take a hard look at that link. Then call your security team, maybe. (My current employer’s security team attempts to 2FA phish me two or three times a month these days.)
So use 2FA. But be mindful of your login requests, and don’t approve weird ones.