Comment on Why Is Computer Security Advice So Confusing?
fubo@lemmy.world 9 months ago
One problem is that a great deal of correct security advice contradicts “common knowledge” security practices. Password character classes – “must include capitals, lowercase, numbers, and symbols” – are a standard example. That idea got rooted in security requirements for banks and such, and it was a bad idea even then. But getting rid of that idiocy looks, to the casual observer, like “weakening password requirements”.
Another problem is that the biggest security vulnerability that many businesses have is obedience to authority. If you can “social-engineer” someone into thinking you’re the big boss, then of course they’ll turn off all the security for you. And the scarier the big boss is, the more eager the underlings are to please them by doing exactly what the email from bigboss@yourcopmany.com says.
Resistance to phishing is questioning claims of authority; it requires being willing to tell the big boss that no you won’t take the security down in response to an email, even a really convincing one. Which means that the worker has to be safe in doing so.
One problem is that a great deal of correct security advice contradicts “common knowledge” security practices. Password character classes – “must include capitals, lowercase, numbers, and symbols” – are a standard example. That idea got rooted in security requirements for banks and such, and it was a bad idea even then.
I don’t know a lot about computer security - but must include capitals, lowercase, numbers, etc seems like a good idea, why is it not?
Longer pass-phrases are easier to remember, and more secure, than shorter pass-words with numbers and symbols.
If you’re using a password manager, make them long, with numbers and symbols also.
It’s not immediately obvious, but it is pretty straightforward math. It has to do with password length vs alphabet size.
Let’s look at an 8 letter lowercase only password. For every letter, you increase the maximum number of passwords by 26 (the number of letters in the alphabet). So it would be 26x26x26x26x26x26x26x26 or 26^8 which is 208,827,064,576. This is a lot of passwords, but pretty easy for a computer to brute force.
Let’s add the ! symbol. This means there are 27 options or 27^8. The total number of passwords is now 282,429,536,481. A bigger number, but not by much.
If we only have lowercase letters but increase it to 9 letters long, then it increases to 26^9 which equals 5,429,503,678,976. We’ve jumped from millions of passwords to billions with passwords only 1 character more.
If you allow all symbols and numbers, but also increase minimum length, you get the best of both without creating difficult to remember passwords.
This of course ignores the primary way people get past passwords: by asking the user for their password. It also ignores that an intruder is going to check the most common passwords and not just try them all. Adding numbers and symbols doesn’t really change the most common passwords though, since dragon just turns into Dragon1!
Also, not having alphabet requirements lets you use passphrases, which gives you access to little mental shortcuts like “lyrics of a song started in the middle of a line”.
Nobody is going to guess that your password is “fame, he’s ignored, action is” even if they know you like Spider-Man. And with 29 characters that password is not easily brute-forced, either. (Okay, this one has special characters but it works just as well without them.)
And it’s super easy to memorize even multiple passwords. You just need to remember song + offset, done.
Still fairly new to the world of computer security myself, so anyone can feel free to correct me of course, but basically;
While adding capitals, lowercase, numbers, etc does make the password more complex, it also makes it harder for the average user to remember. This means that many users reuse the same password across multiple sites/platforms. Or they use shorter passwords with common tricks like Pa$$word1. That checks all the requirements for a “secure” password but it really isn’t. Hackers know that people use $ in place of S, people often use some variation of “password” in their password, and the number is usually a 1 or something easily guessable like the year they were born.
So the more up to date recommendation is to use a long and strong password (like at least 12 characters long), or a password manager and 2FA.
I think “password” is the wrong word for it. “Passphrase” encourages people to make it longer, like a few words, and length beats special characters any day.
NeoNachtwaechter@lemmy.world 9 months ago
In other words: bossy bosses can’t be secure. Ever.