One Article Review
| Source |  Errata Security |
|---|---|
| Identifiant | 588738 |
| Date de publication | 2018-04-15 21:57:11 (vue: 2018-04-16 04:05:57) |
| Titre | Let\'s stop talking about password strength |
| Texte |  Picture from EFF -- CC-BY licenseNear the top of most security recommendations is to use "strong passwords". We need to stop doing this.Yes, weak passwords can be a problem. If a website gets hacked, weak passwords are easier to crack. It's not that this is wrong advice.On the other hand, it's not particularly good advice, either. It's far down the list of important advice that people need to remember. "Weak passwords" are nowhere near the risk of "password reuse". When your Facebook or email account gets hacked, it's because you used the same password across many websites, not because you used a weak password.Important websites, where the strength of your password matters, already take care of the problem. They use strong, salted hashes on the backend to protect the password. On the frontend, they force passwords to be a certain length and a certain complexity. Maybe the better advice is to not trust any website that doesn't enforce stronger passwords (minimum of 8 characters consisting of both letters and non-letters).To some extent, this "strong password" advice has become obsolete. A decade ago, websites had poor protection (MD5 hashes) and no enforcement of complexity, so it was up to the user to choose strong passwords. Now that important websites have changed their behavior, such as using bcrypt, there is less onus on the user.But the real issue here is that "strong password" advice reflects the evil, authoritarian impulses of the infosec community. Instead of measuring insecurity in terms of costs vs. benefits, risks vs. rewards, we insist that it's an issue of moral weakness. We pretend that flaws happen because people are greedy, lazy, and ignorant. We pretend that security is its own goal, a benefit we should achieve, rather than a cost we must endure.We like giving moral advice because it's easy: just be "stronger". Discussing "password reuse" is more complicated, forcing us discuss password managers, writing down passwords on paper, that it's okay to reuse passwords for crappy websites you don't care about, and so on.What I'm trying to say is that the moral weakness here is us. Rather then give pertinent advice we give lazy advice. We give the advice that victim shames them for being weak while pretending that we are strong.So stop telling people to use strong passwords. It's crass advice on your part and largely unhelpful for your audience, distracting them from the more important things. |
| Envoyé | Oui |
| Condensat | about account achieve across advice ago already any are audience authoritarian backend bcrypt because become behavior being benefit benefits better both but can care certain changed characters choose community complexity complicated consisting cost costs crack crappy crass decade discuss discussing distracting doesn doing don down easier easy: eff either email endure enforce enforcement evil extent facebook far flaws force forcing from frontend gets give giving goal good greedy hacked had hand happen has hashes have here ignorant important impulses infosec insecurity insist instead issue its just largely lazy length less let letters licensenear like list managers many matters maybe md5 measuring minimum moral more most must near need non not now nowhere obsolete okay onus other own paper part particularly password passwords people pertinent picture poor pretend pretending problem protect protection rather real recommendations reflects remember reuse rewards risk risks salted same say security shames should some stop strength strong stronger such take talking telling terms than them then things top trust trying unhelpful use used user using victim weak weakness website websites what when where writing wrong your |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.