Securing Your Digital Life The Finale Debunking Worthless Security Practices

Information security and privacy suffer from the same phenomenon we see in fighting COVID-19: “I’ve done my own research” syndrome. Many security and privacy practices are things learned second- or third-hand, based on ancient tomes or stuff we’ve seen on TV—or they are the result of learning the wrong lessons from a personal experience.

I call these things “cyber folk medicine.” And over the past few years, I’ve found myself trying to undo these habits in friends, family, and random members of the public. Some cyber folkways are harmless or may even provide a small amount of incidental protection. Others give you a false sense of protection while actively weakening your privacy and security. Yet some of these beliefs have become so widespread that they’ve actually become company policy.

I brought this question to some friends on InfoSec Twitter: “What’s the dumbest security advice you’ve ever heard?” Many of the replies were already on my substantial list of mythological countermeasures, but there were others that I had forgotten or not even considered. And apparently, some people (or companies… or even vendors!) have decided these bad ideas are canon.

If I’m repeating myself from previous articles, it’s only because I keep hearing these bad pieces of advice. This article won’t eradicate these practices, sadly—they’re so embedded in culture that they will continue to be passed down and practiced religiously until the technological weaknesses that allow them to exist have faded into antiquity. But together we can at least try to end the madness for those in our circles of influence.

Myth: Thou shalt change thy password every 30 days

Passwords have been part of computer security since 1960, when Fernando Corbató added passwords for personal files to MIT’s Compatible Time-Sharing System (CTSS). And almost immediately, they became, as Corbató himself admitted, “a nightmare.” Since then, all sorts of bad advice (and bad corporate policy) has been disseminated about how to use, manage, and change passwords.

Technology limits have in the past been the main thing dictating password policy—limits on the number and type of characters, for example. The low security of short passwords led to policies that required that passwords be frequently changed. But modern operating systems and security systems have made the whole short-password-versus-frequent-password-change dance obsolete, right?

Apparently not. Not only have these folkways continued to be used to log in to personal computers at work, but they’ve been integrated into consumer services on the web—some banking and e-commerce sites have hard maximum sizes for passwords. And—likely because of poor software design and fear of cross-site scripting or SQL injection attacks—some services also limit the types of characters that can be used in passwords. I guess that’s just in case someone wants to use the password “password’); DROP TABLE users;–” or something.

Regardless of whether we’re talking about a password or a PIN, policies that limit length or characters weaken complexity and security. Long passwords with characters such as spaces and punctuation marks are more memorable than arbitrary numbers or leetspeak morphs of words. Microsoft’s definition of a PIN is, essentially, a hardware-specific password that controls device access and login credentials based on Trusted Platform Module black magic; a four-digit PIN for device access is not more secure than one based on letters and numbers if someone has stolen your computer and is banging away on it at their leisure.

Pick a sufficiently long and complex password for a personal or work computer, and you should only have to change it if it’s been shared with or stolen by someone else. Changing passwords every 30 days only makes passwords harder to remember and can cause people to develop bad password-creation workarounds that result in weaker passwords—for example, by incrementing numbers at the end of them:

  • Pa55w0rd1
  • Pa55w0rd2
  • Pa55w0rd3
  • …you can see where this madness leads

So pick one complex but memorable password for your computer login or your phone, like XKCD suggests (though don’t use the one in the comic—maybe generate one with Diceware!). Don’t reuse it anywhere else. And don’t change it unless you have to.

Myth: Don’t write it down!

Many of us have seen the worst-case scenario in password management: passwords on Post-it notes stuck to monitors in cubicle-land, just waiting to be abused. This habit has led many a would-be security mentor to cry out, “Don’t write down your passwords!”

Except you probably should write them down—just not on a Post-it in your cubicle. Many two-factor authentication services actually promote printing and saving recovery codes in the event you lose access to your second-factor app or device, for example. And you can’t save device passwords in a password manager, can you?

Some people insist on writing passwords in a notebook (Hi, Mom!). Never tell these people they’re wrong, but do encourage them to do this only for passwords that can’t be stored in a password manager or might be needed to recover backups and services if a device is damaged or lost—for example, if you have an Apple ID. You want these high-value passwords to be complex and memorable, but they’re used infrequently, so they may be more easily forgotten. Go ahead, write them down. And then put the written passwords (and your 2FA recovery codes!) in a nonpublic, safe place you can access when things go awry.

There is something you should not do with passwords, however, and that is keeping them in a text file or other unencrypted format. In a recent intrusion incident I was reviewing, one of the first things the criminals managed to do was find a file called Password List.xlsx. You can imagine how things went from there. And apparently this happens on the regular at some companies:

Now, if these files were password-protected Office documents, there’d at least be some hope—since Office uses AES encryption and does some serious SHA-1 shuffling of passwords to generate the keys in more recent versions. In instances when you can’t keep passwords in a password manager but need to keep track of them, this is an acceptable level of security in most cases.

Myth: 2FA is 2 scary 4 me

I’m a major proponent of two-factor authentication (“2FA”) as a way to protect login credentials; it has saved me a few times from having accounts hacked after provider breaches revealed my passwords. (There was also the one time when I lost access to an email account because a domain-name provider decided not to auto-renew my personal domain and instead sold it to a scam blog operator. I’ll leave it to you to guess which registrar did me dirty that way.) But I frequently see people deciding not to use 2FA because they saw somewhere that 2FA via text message is less secure, but they didn’t see the other part about using an authenticator app or other method instead if possible. And then they erroneously reached the conclusion that foregoing 2FA is more secure than 2FA with SMS.

Let me be clear: any 2FA is better than no 2FA. And with the usual types of brute-force attempts attackers make against common cloud services, any 2FA will render about 90 percent of these attempts totally unsuccessful (and the other 10 percent of the time will just result in a potentially recoverable denial of service). You definitely want some form of 2FA on an Amazon account or anything that has any ties to your purchasing information, no matter what kind of 2FA it is.

But just having 2FA is not a guarantee that someone won’t succeed in getting what they want. Some phishing attacks are now managing to get around two-factor authentication by using 2FA “passthrough” attacks:

If you receive an email with a link that takes you to a website requesting your credentials, and you then get a 2FA alert for your login, that does not necessarily mean that the link was legitimate and that you should give the code or tap the “approve” button. This could be an attempt to simply have you assist the attacker. Take a hard look at that link. Then call your security team, maybe. (My current employer’s security team attempts to 2FA phish me two or three times a month these days.)

So use 2FA. But be mindful of your login requests, and don’t approve weird ones.

Myth: My VPN protects me!

A few weeks ago I mentioned that, for most normal Internet usage, virtual private networks are kind of pointless now. All they really do (when properly configured) is hide the Domain Name Service requests you make and the resulting IP addresses you visit from your Internet Service Provider. This (mostly) prevents your ISP from collecting data about your Internet habits—and instead passes that privilege on to the VPN provider you’re using.

VPNs are good for some situations:

  • If you’re working from home and you need to access resources on the corporate LAN, you probably need to use the corporate VPN
  • If you’re stealing BBC content from Great Britain by watching it in the US without paying TV tax—assuming the Beeb has not yet blocked your VPN provider
  • If you’re pretending to be in another country to fool Google or other sites into giving you localized results for that geographic location, or otherwise working around some form of geoblocking

That’s about it. Otherwise, VPNs aren’t much more effective in protecting your privacy than what you already get from visiting sites that use modern Secure HTTP (HTTPS).

This doesn’t prevent VPN providers from using scare-tactic advertising (or in some cases, actually using fake alerts and other sorts of manipulative and illegal “advertising”) to drive you toward downloading VPNs for your computer or phone. If a friend or relative tells you they got a notification saying they had 1,000 viruses on their iPhone and that they needed to install a VPN right away, make sure you walk them through how to remove that app immediately (and also how to report a fraudulent application to Apple, Google, and the Federal Trade Commission).

Now, if your goal in life is to make sure that Comcast, AT&T, Verizon, Spectrum, T-Mobile, and all the rest know as little about your Internetting as possible and you’ve done due diligence on your VPN provider’s privacy disclosure, then go right ahead and VPN. Just don’t freak out too much when you have to go through a thousand CAPTCHAs to visit a site because some denial of service bro has been using the same VPN exit point as you. (It’s also important to understand that, unless you can actually audit your VPN provider’s privacy policy yourself, you can’t do effective due diligence.)

Myth: You don’t need antivirus on that

Just like fear of 2FA, some people swear that antivirus software is unnecessary, because:

  • “I have a firewall that blocks all that stuff”
  • “I don’t visit porn sites”
  • “We don’t need antivirus on the servers, just the desktops”

… and variations of these.

Microsoft Defender, up to date on a properly configured Windows 10 or Windows 11 system, is pretty good for blocking known threats. Microsoft’s security team has done a lot to raise the bar of its malware protection. But the number of improperly configured, half-disabled, non-updated systems I have had the privilege to examine forensically does not indicate to me that the majority of computers connected to Internet-adjacent networks are “properly configured Windows” for any number of reasons.

If a piece of software tells you that you need to disable the antivirus software for a folder in order for it to work, my advice is to just not use that software. There have been plenty of examples of how bad not following this advice can turn out—I lost most of my Independence Day weekend thanks to one in particular.

Stopping the madness

If there’s one cyber folkway that drives me the most nuts, it’s the widely held belief that people can achieve security through obscurity. “Why would they hack me? I’m not anyone special” are famous last words before a ransomware attack.

True fact: I’m proud of my parents for remembering all the things I’ve told them about identifying digital scams, and I lose much less sleep since my parents started doing most of their Internetting on iPads. The less time they spend reading email or browsing the web on their desktops, the better, because using up-to-date iOS devices significantly reduces their attack surface (at least from malware). But all cell phones have some security risk associated with them, and it’s not just smartphones.

It may not be possible through your own singular efforts to get your company to change its password policy. But if enough people gently persuade others to stop following flawed advice (advice they’ve received from people who probably haven’t exactly done themselves any privacy or security favors), then maybe we can avoid a few million dollars’ worth of cybercrime. (And if you’re an IT decision-maker or you sit on your company’s IT steering committee, then it’s time to weigh in and do your part!)

If you’ve seen or heard any particularly flawed information security or privacy advice, please share it in the comments here. The only way we can stop these sorts of bad security memes from propagating further and end cyber quackery is by pointing out instances every time we hear or see them.

Sean Gallagher is a former IT editor and national security editor at Ars Technica. A University of Wisconsin grad, he wrote his first program in high school on a DEC PDP-10, and his first database app on a dual-floppy Apple II.

Source: Securing your digital life, the finale: Debunking worthless “security” practices | Ars Technica


More Contents:

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.