Or rather, sorry, I should say, people being lazy. Saying stupid is unfair.
How do you get people not to make their password "password". After all, we are insisting they have a damn password. They don't want one. They just want things to work.
Yes, if they get hacked, they moan, but it does not matter how much we try, they will take the lazy route.
People will not care if a site is using https or http.
People will not care is some site has a warning. The poke posted a good image for this today.
So keeping normal people safe is hard work.
But what if you do have something to hide - whether it is something non-criminal but embarrassing or just commercially sensitive. What if it is criminal, or worse terroristy...
Well, then you need to plan and be careful. Then you need to check how you keep yourself safe and communicate safely.
This is why the security theatre of politicians today is bad - they want to advocate weaker security for the masses, for everyone, so that they can catch criminals more easily.
The effect will be weaker security for the masses, yes, and a much harder time protecting them. However, anyone with any reason to actually put in a modicum of effort, such as terrorists, can easily stay safe - using their own encryption rather than using WhatsApp.
A terrorist can simply google* how to do this, download the right code, and be their own vendor for end-to-end encryption. Cimincals can stay safe. (*Books also have this information)
Who wins here - the criminals!
Who loses here - the rest of us!
Please, let us use encryption to protect us all - yes it protects criminals as well, but we can't stop that, and protecting the rest of us actually thwarts a lot of criminals. Net gain.
This blog also on YouTube:-
I have worked in the tech industry all my life. Nobody has ever followed the alleged "good password policies" that they try to force on us, except under protest. Everyone knew that changing your password every N months / weeks / days was stupid and even the geeks just ended up using their password with an incrementing number on the end, but the ridiculous policies for this are only now in retreat.
ReplyDeleteMeanwhile, I try to set passwords to things like Yubikey-backed OATH-HOTP strings and the like, but most sites still don't accept them because they are too long (sigh) and don't have special characters or capital letters in (apparently a 42-byte hex string is insufficiently secure as a password). So I still use terrible passwords in many places (even discounting test systems with root and user passwords of "@" or a single space character or something like that, because there's nothing important on them anyway and it's inside a megacorp's firewall). I just want things to work.
So we are still in the sitaution of ridiculous passwords being mandated in an effect that forces even clued people to use weak ones. And *everyone* writes them down. The advice to not write them down has at least gone away now -- even security consultants realise that asking people to not write down 300 "memorable" passwords is ridiculous.
I note now the confluence of the useless, insecure "memorable information" reset strings banks and the like try to get you to set, and passwords. One bank asks me to set "memorable information" using password rules (special characters, at least N letters long, etc) and then asks you to pick particular characters out of it at login time! Because *that's* not a password at all. Just because you can remember your mother's pet name for your father's dog doesn't mean you can pick characters 3, 7, and 14 out of it without writing it down!