Comment on Why Is Computer Security Advice So Confusing?

fubo@lemmy.world ⁨1⁩ ⁨year⁩ ago

One problem is that a great deal of correct security advice contradicts “common knowledge” security practices. Password character classes – “must include capitals, lowercase, numbers, and symbols” – are a standard example. That idea got rooted in security requirements for banks and such, and it was a bad idea even then. But getting rid of that idiocy looks, to the casual observer, like “weakening password requirements”.

Another problem is that the biggest security vulnerability that many businesses have is obedience to authority. If you can “social-engineer” someone into thinking you’re the big boss, then of course they’ll turn off all the security for you. And the scarier the big boss is, the more eager the underlings are to please them by doing exactly what the email from bigboss@yourcopmany.com says.

Resistance to phishing is questioning claims of authority; it requires being willing to tell the big boss that no you won’t take the security down in response to an email, even a really convincing one. Which means that the worker has to be safe in doing so.

source
Sort:hotnewtop