This looks like a good spot to air my ongoing beef with passwords:
When I’m sitting at home by myself on my computer, when I type in an incredibly complex password, why can’t I see it??? If you’re going to make me follow all the rules with the characters/numbers/symbols, I should at least have the option to see what I’m typing.
I realize that now many sites, especially on my phone, have that option. Seems to me, however, that showing the password should be the default. If I’m in a public area or somebody’s looking over my shoulder, I can then turn off the ‘display password’ option.
Sure. Very much in the same way that speed limits prevent skilled, attentive drivers from commuting faster.
However, in very much the same way that speed limits are made necessary by shitty, inattentive drivers, the IT department’s most pain-in-the-ass controls are made necessary by the one or two idiots in your organization who blithely open mysterious attachments and/or willingly hand over access credentials on websites that aren’t what they think they are.
Pretty much every day now it seems there’s a company or corporate office somewhere that’s been crippled by ransomware thinking goddamit, if only we had stricter IT security controls in place…
There’s some tools scammers and hackers use out there that enable them to view your screen and what your doing without you knowing it. Which is why you can’t see what your typing as the default setting.
If they have that much access to my computer, they’ve already compromised all of my accounts. And they have probably enabled a keylogger as well, meaning they can capture every keystroke, no matter if it’s hidden onscreen or not.
I personally hate Google reCAPTCHA. What a waste of time.
It seems like all of the SaaS I use require reCAPTCHA every single time I log in. I’ll spend five minutes or more every single time I want to access any of these services, doing free work for Google Maps and AI.
This is on top of other security controls like 90 day password expiration, two-factor authentication, automatic session expiration, etc.
That last one has great synergy. Stop using the website for more than two minutes, spend six or more minutes getting back in.
Mostly they are minor annoyances. There’re two that really irritate me. One web app I use requires a symbol among its other requirements, but not any symbol - you must select from only eight preselected symbols.
The other one is a secure email system that automatically logs you out after a few seconds of inactivity. It may be closer to a minute or two, but it’s far too quick. It also deletes old emails, both sent and received. I understand why, but sometimes I need to prove I sent something.
Password expiration is a dying concept. Essentially, it’s when an organization requires their workforce to change their passwords every 60, 90 or XX number of days. And while there are several reasons behind the password expiration policy, most at this point seem obsolete.
The first reason? History. Years ago (decades, even) it was estimated that it would take the average computer approximately 90 days to ‘crack’ the average password hash. In other words, if an attacker hacked into a website and was able to copy of all the password hashes, (passwords are not secured via encryption, but instead one-way hashes) hackers could attempt to automate the process of guessing the passwords. So, the thinking was if the average password could be cracked in 90 days, people should get into the habit of changing their passwords every 90 days. Over time, this guideline became a requirement for many different standards and become embedded in security folklore. If you did not advocate the regular changing of passwords, you were obviously an incompetent security professional.
Fast forward to today. Things have radically changed. Password expiration is no longer relevant. In fact, if you conduct a risk-based analysis, you will quickly determine that password expiration does far more harm than good and actually increases your risk exposure. The problem is that organizations and security standards (looking at you, PCI-DSS) have not kept up and continue to promote outdated and harmful practices simply because that is how it has always been done.
I negotiated a deal with our Infrastructure/CISSP group and we’re the only department in the company with this agreement. We are all admins on our machines (what we wanted), but we are responsible for our machines in every way (what they wanted in return). If we get a virus, we must wipe the machines and reinstall from an image. Basically, if we screw something up or something becomes corrupted, it’s on us.
Thus far both parties are perfectly happy with the agreement.
My group has a similar arrangement. Our AD IDs have the usual limited privileges but we can enter a ticket to activate our “local admin” IDs that, as the name suggests, give us full admin access to our own PCs. And if we break something, it’s nuke and pave time. The helpdesk doesn’t know how to fix our admin tools and won’t try.
As for passwords, we recently moved to minimum 16-character passwords that get changed annually.
About 12-ish years ago, we had a big ugly mailstorm because there were minimal restrictions on distribution lists. Once the “Remove me from this list!” and “Stop replying-all!” (sent to all, naturally!) died down, rules were set up on the size of lists, and how they can be used. If a list was bigger than something like 50 IDs, it could only be used as a bcc: address, making “reply all” storms impossible.
Fast forward to about two weeks ago, and a birthday meltdown A bizarre glitch in the list processing system brought 450 Exchange servers to their knees. Not expecting any policy changes from this as the sender did everything right. #HappyBirthdayHolly
I work in IT security and I know I impede the workflow. I could give several examples.
On the first day of the job I was told I needed to learn how to say “no” in 50 languages (figuratively). We are audited on a regular basis and if we don’t follow the guidelines people way up hear about it. And the guidelines are what they think it should be. If where I work made national news because of a data leak and if it is in my area it would not be a good day in the office for me.
On the other hand, we do things that minimize the hardship. We put in single sign-in, an online password reset tool, etc.
We’re public sector; there are retention rules for public records requests and whatnot. Anything I send or receive in my normal Outlook gets archived automatically. Paperwork is scanned then physically stored at the state capitol archive building, etc. How all that interacts with the state’s own encryption email portal, I don’t know. It could possibly be archived, just not readily available to end users after so many days.
In general I want to make things as easy for my users as I safely can but many things are out of my control. We’ve changed our internal password policies to use very long passwords which never expire but I have no control over the password policies our vendors use.
We also attempt to use single sign on so a single password can be used on multiple systems but many of our vendors refuse to play nice with our SSO system. I have some influence but I do not make the final decision on the vendors our company does business with.
I’m fighting the MFA for Office 365 battle right now. In fact, one of the people I’m fighting against is my boss.
For some reason thinks it’s easier to get everyone set up and then enable MFA later. I can’t quite get him to understand that his idea ends up being way more disruptive in the long run, as we now have to do just about everything twice.
Our other issue is that clients do not want to buy phones for all of their employees, and some employees either refuse to install the app. Actually, we have a few users who are unable to install an app for various reasons. So, we’re stuck with SMS.
I’m currently looking into hardware tokens, but many or our clients don’t want to pay for those, either.
I’m a cybersecurity guy, and most of the examples in this thread are “why can’t I do whatever I want?” but I’ll start with these two. If you have more questions about “why” I can answer them.
If you have to share a file, you don’t have shared folders? Why can’t Sharepoint upload the file? If it’s a technical reason, it has nothing to do with security. Check with your network people.
Why shouldn’t you have a VPN to connect with your office? You want all your network traffic going out to the Internet unencrypted? Well the data owners might not want that. Do you own the data you are sending? If so, tell the techs that you want unencrypted connections to your network. Good luck with that.
I work in government and most of these complaints are a result of uneducated users that think they should be able to do whatever they want. A simple perusal of the news can show what happens when users click a link and then the entire city network is caught in a ransomware attack.
A bizarre glitch in the list processing system brought 450 Exchange servers to their knees. Not expecting any policy changes from this as the sender did everything right.