I have seen this phenomenon especially at a couple of FAANGs over the past couple of years. Things are getting locked down so much, and so many special permissions are required that now people ask for permissions to systems or procedures preemptively. Because by the time they know if they will need it or not, it's too late.
And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
baby_souffle 25 minutes ago [-]
> And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
This is a tale as old as time.
At a prior gig, IT took away touch ID for ... $reasons. ~40% of the engineering team was already big into mechanical keyboards so it only took one person to "just FYI, VIA allows you to program macros". Is it _as bad_ as password on a sticky note? Not quite but I can't imagine that touch ID was _more_ of a threat.
JasperNoboxdev 5 minutes ago [-]
Curious, why remove Touch ID? Been moving everything into it seems like a really good mix of convenience + security (especially if the alternative is copying your key into AI :) )
sam_lowry_ 12 minutes ago [-]
A big use case for Yubikeys is the ability to emulate a keyboard and produce a string of chars on touch.
whynotmaybe 20 minutes ago [-]
Not really new. A long time ago I had to wait 2 months to have access to a shared folder on a development server.
It became so prevalent that whenever we were planning anything, if a task had to be done by someone outside of our team, we added 20 days.
Security through eternity I guess ?
general_reveal 6 minutes ago [-]
Just get off as many of these platform as you can. That’s about the only security that you’ll ever get. If you are still in the Matrix, listen the weirdos on here that take “don’t trust anything” seriously to the point of absurdity.
The Matrix was not fiction. Our modern internet is a system. You have to figure out how to live truly free from it, because it absolutely owns you.
__
Revelation 13:16–17
“And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads:
And that no man might buy or sell, save he that had the mark…”
donatj 23 minutes ago [-]
The level of lockdown in current years is wild. With our 2FA requirements and SSO, signing into GitHub every morning takes me something like eight clicks and a solid minute. Everything has gotten so locked down in recent years, people are working so hard to protect what are largely basic CRUD apps
onetimeusename 7 minutes ago [-]
I think security became part of compliance so security recommendations got detached from actual security. It seems like a lot of security recommendations are just busy work that justifies having a huge compliance industry. So an example of this might be security scanners for code where the output is not even useful. But using the tool, which searches for irrelevant findings, is required for compliance even if it basically does nothing for security.
dijit 42 minutes ago [-]
thats part of why NIST updated their password rotation recommendations from 90 days to indefinite: people pay lip service to security if it is too inconvenient. you have to try to meet people where they are.
Preaching is not a strong motivator for long.
carefree-bob 34 minutes ago [-]
It's not just about "convenience", it is hard for the human mind to remember a truly random password. You can try all the mnemonic tricks you want but at the end of the day it requires a lot of time and repetition before entering the password is effortless. So what people do is create a stream of derivable passwords. For example, I can think of a phrase "I love beach balls bouncing on the ocean!" and then make a password "ilBBbotocean!" and when it comes time to change that password, I'll just add a number "ilBBbotocean!1". Studies have shown this is what people do. But it is easy for attackers to also derive these passwords once one password in the chain has been compromised.
The effect of that is that by requiring frequent rotation, the organization is effectively training their users to have a single permanent password and to never change it, even after a compromise. That's extremely harmful. At least with permanent passwords that are force rotated after they show up in database or there has been an incident, you have a much higher percentage of compliance with making new passwords, and the organization is safer because everyone isn't using passwords derived from the previous password.
mysteria 26 minutes ago [-]
I remember a case where a company decided to assign employees random 16 character passwords with symbols and rotated them every 90 days or so. They were unchangeable and the idea was that everyone would be forced to use a secure password that changed regularly.
You can probably guess what happened, and that was that no one remembered their passwords and people wrote it down on their pads or sticky notes instead.
10 minutes ago [-]
gz5 26 minutes ago [-]
Absolutely. Easier said than done, but the best security is structural security - as near to invisible for end users as possible. This needs to be the goal, imo, even if not fully achievable.
ctxc 24 minutes ago [-]
Fairly obvious? Or isn't it that way for everyone?
languagehacker 8 minutes ago [-]
Nice to see SUNY Albany on here!
Rendered at 16:07:00 GMT+0000 (Coordinated Universal Time) with Vercel.
And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
This is a tale as old as time. At a prior gig, IT took away touch ID for ... $reasons. ~40% of the engineering team was already big into mechanical keyboards so it only took one person to "just FYI, VIA allows you to program macros". Is it _as bad_ as password on a sticky note? Not quite but I can't imagine that touch ID was _more_ of a threat.
It became so prevalent that whenever we were planning anything, if a task had to be done by someone outside of our team, we added 20 days.
Security through eternity I guess ?
The Matrix was not fiction. Our modern internet is a system. You have to figure out how to live truly free from it, because it absolutely owns you.
__
Revelation 13:16–17
“And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark…”
Preaching is not a strong motivator for long.
The effect of that is that by requiring frequent rotation, the organization is effectively training their users to have a single permanent password and to never change it, even after a compromise. That's extremely harmful. At least with permanent passwords that are force rotated after they show up in database or there has been an incident, you have a much higher percentage of compliance with making new passwords, and the organization is safer because everyone isn't using passwords derived from the previous password.
You can probably guess what happened, and that was that no one remembered their passwords and people wrote it down on their pads or sticky notes instead.