This nails it. The 550+ password problem is real and most infosec pros dunno how to address it without creating perverse incentives. I've worked with teams who tried implementing strict rotation policies and ended up with Excel files of passwords floating around. The moral hazard point about AML regs is especially sharp because it mirrors what happens when you make prevention theater teh primary metric instead of actual outcoem reduction. Banks optimize for appearing compliant rather than reducing fraud risk.
Thank you Gordon, for adding to both my education and concern. It has caused me to recall an observation decades ago by my parents' carpenter: "locks are only for honest people".
I admit that, knowing very little about online security, save for decent passwords, I have lived in the hope that someone knows what they are doing - perhaps unwise - but as is so common. I feel there is little else that I can do.
"Brute-force password cracking (in the mode of movie thrillers) can easily be stopped by not allowing sequences of failed access attempts."
Not when the attacker can copy encrypted files and try billions of passwords offline in a few hours. But overall, the article makes good points (based on a career in It with the last 20 years having been spent in Security): all security is a trade-off. If you want to be secure from internet attack, never connect to the Internet - but this may make your life too inconvenient to be acceptable as a solution!
To some extent, physical security is about making yourself a less attractive target than the home or office next door - nobody buys a wall safe to protect their precious collection of beermats - because a physical attacker can only try one doorknob at a time to see who has forgotten to lock up. But anyone on the Internet can try a million 'doorknobs' an hour (e.g. searching for default passwords), which changes the balance of effectiveness.
Yes, you are correct. Sorry, I was thinking about access rather than signals encryption. What I left out to keep the article from being too long was that passkey length plus padding and randomisation are almost always better. Hence Apple moving from 4 to 6 digit PIN numbers, but how many digits can we remember reliably? 10-digit phone numbers but only a very small number of them.
You are also correct about the huge volume of access attempts that you can see on a typical domestic router. For edge equipment one must have multiple levels of security and, in effect, lock it down so that configurations can't easily or at all be changed from outside. But then some user reads about how to open up a port to allow certain kinds of gaming and is surprised when their network is hijacked! You can't really blame the user but equipment manufacturers are often completely clueless.
This nails it. The 550+ password problem is real and most infosec pros dunno how to address it without creating perverse incentives. I've worked with teams who tried implementing strict rotation policies and ended up with Excel files of passwords floating around. The moral hazard point about AML regs is especially sharp because it mirrors what happens when you make prevention theater teh primary metric instead of actual outcoem reduction. Banks optimize for appearing compliant rather than reducing fraud risk.
Thank you Gordon, for adding to both my education and concern. It has caused me to recall an observation decades ago by my parents' carpenter: "locks are only for honest people".
I admit that, knowing very little about online security, save for decent passwords, I have lived in the hope that someone knows what they are doing - perhaps unwise - but as is so common. I feel there is little else that I can do.
"Brute-force password cracking (in the mode of movie thrillers) can easily be stopped by not allowing sequences of failed access attempts."
Not when the attacker can copy encrypted files and try billions of passwords offline in a few hours. But overall, the article makes good points (based on a career in It with the last 20 years having been spent in Security): all security is a trade-off. If you want to be secure from internet attack, never connect to the Internet - but this may make your life too inconvenient to be acceptable as a solution!
To some extent, physical security is about making yourself a less attractive target than the home or office next door - nobody buys a wall safe to protect their precious collection of beermats - because a physical attacker can only try one doorknob at a time to see who has forgotten to lock up. But anyone on the Internet can try a million 'doorknobs' an hour (e.g. searching for default passwords), which changes the balance of effectiveness.
Yes, you are correct. Sorry, I was thinking about access rather than signals encryption. What I left out to keep the article from being too long was that passkey length plus padding and randomisation are almost always better. Hence Apple moving from 4 to 6 digit PIN numbers, but how many digits can we remember reliably? 10-digit phone numbers but only a very small number of them.
You are also correct about the huge volume of access attempts that you can see on a typical domestic router. For edge equipment one must have multiple levels of security and, in effect, lock it down so that configurations can't easily or at all be changed from outside. But then some user reads about how to open up a port to allow certain kinds of gaming and is surprised when their network is hijacked! You can't really blame the user but equipment manufacturers are often completely clueless.