“For Security Purposes” Statements Are Bull****
It’s Time Companies Told Us How They Secure Our Data and Devices.
If you have been on Twitter long enough you have probably seen someone re-tweet a company giving terrible security advice like this:
@OldArrack Hello, a long password is a great way to protect your information! For security purposes we do not allow pasting of passwords.
— TurboTax Support (@TeamTurboTax) April 2, 2017
Turbotax likely does not allow you to paste passwords because “that’s how hackers bruteforce accounts.” At some point, that may have been true.
But today, the sensible approach is to allow users to paste in passwords so they can use something properly strong. I don’t know about you – but I find it pretty difficult to type a secure password like “1mPYY!2Lx@tz” correctly every time (note to self – change password).
So then why do companies continue to defend their out-dated and insufficient security? Masking over security with generic ‘trust us it’s fine’ answers is a crutch used to justify out of date practices and poorly thought out policies. It’s a non-answer, like those arguments you would get stuck in with a kid sibling – Why? Because. Why? Because.
Yesterday I came across one of the most ridiculous examples in a while, courtesy of the Twitter account passwordistoostrong:
@Moorepay wins the prize for the worst website I’ve had to deal with. Their password requirements are priceless. pic.twitter.com/HTyAugW3uc
— Maciej Kula (@Maciej_Kula) July 20, 2016
Between 9 and 10 characters! And when questioned, Moorepay fell back on a perfectly generic excuse:
@Maciej_Kula Thank you for your feedback, our password policy is industry standard in relation to the data we hold on the system.
— Moorepay (@Moorepay) July 21, 2016
Which industry standard is that? Name it.
While this tweet is from last year, it’s emblematic of a systemic problem: Companies routinely under-invest in security and think it’s okay to brush off our concerns with generic responses about best practices. That this is “for security purposes.”
“For security purposes” joins “we take security seriously” (and its sibling, “we take security very seriously”) in the book of empty excuses for why a company failed to protect its users.
Back in the 80’s, Harry Frankfurt, an esteemed philosophy professor at Princeton, wrote an academic treatise titled “On Bullshit.” The piece discusses the rampant amount of barely-truths, which Frankfurt calls bullshit, that permeate our lives. We see it. We recognize it. But as Frankfurt says, we benignly accept it.
There are a number of qualities to his definition of bullshit, one of them being that “it must be deficient in meaning or that it is necessarily unimportant.”
“For security purposes” definitely fits the bill, but we allow it anyway.
We are in a security crisis right now. That crisis is the ransomware WannaCry (aka WannaCrypt). But, that’s just the flavor of the week. The real crisis is the dangerous ‘check-the-box for compliance’ mindset that many businesses and organizations have when it comes to keeping their systems secure and their users’ data safe.
How many times do we have to be harmed by poor security before we start demanding more from companies? Troy Hunt recently added another billion stolen account credentials to his Have I Been Pwned? service. Seriously. Another billion.
Businesses aren’t using HTTPS. They are storing our passwords in plain text. They are months behind installing critical security patches.
But this is not just about bad data hygiene anymore. There are lives at risk, literally. The WannaCry ransomware wreaked havoc through England’s NHS, shutting down hospitals. Devices that are being installed inside of people to keep them alive can be controlled and disrupted by attackers.
Canned answers about “security purposes” and “industry standards” aren’t cutting it. It is insulting that companies think they can take the same ‘check-the-box’ attitude for public statements. “We take security seriously” addresses the problem only in the literal sense that the words were spoken.
It’s time for companies to cut the bullshit and show their users that they are secure. Start by storing passwords properly and letting us know it. Show that your software and devices have undergone regular audits. Prove to us that you take security seriously – go above and beyond – because just saying it doesn’t mean a whole lot anymore.
5 Ways to Determine if a Website is Fake, Fraudulent, or a Scam – 2018
in Hashing Out Cyber SecurityHow to Fix ‘ERR_SSL_PROTOCOL_ERROR’ on Google Chrome
in Everything EncryptionRe-Hashed: How to Fix SSL Connection Errors on Android Phones
in Everything EncryptionCloud Security: 5 Serious Emerging Cloud Computing Threats to Avoid
in ssl certificatesThis is what happens when your SSL certificate expires
in Everything EncryptionRe-Hashed: Troubleshoot Firefox’s “Performing TLS Handshake” Message
in Hashing Out Cyber SecurityReport it Right: AMCA got hacked – Not Quest and LabCorp
in Hashing Out Cyber SecurityRe-Hashed: How to clear HSTS settings in Chrome and Firefox
in Everything EncryptionRe-Hashed: The Difference Between SHA-1, SHA-2 and SHA-256 Hash Algorithms
in Everything EncryptionThe Difference Between Root Certificates and Intermediate Certificates
in Everything EncryptionThe difference between Encryption, Hashing and Salting
in Everything EncryptionRe-Hashed: How To Disable Firefox Insecure Password Warnings
in Hashing Out Cyber SecurityCipher Suites: Ciphers, Algorithms and Negotiating Security Settings
in Everything EncryptionThe Ultimate Hacker Movies List for December 2020
in Hashing Out Cyber Security Monthly DigestAnatomy of a Scam: Work from home for Amazon
in Hashing Out Cyber SecurityThe Top 9 Cyber Security Threats That Will Ruin Your Day
in Hashing Out Cyber SecurityHow strong is 256-bit Encryption?
in Everything EncryptionRe-Hashed: How to Trust Manually Installed Root Certificates in iOS 10.3
in Everything EncryptionHow to View SSL Certificate Details in Chrome 56
in Industry LowdownPayPal Phishing Certificates Far More Prevalent Than Previously Thought
in Industry Lowdown