It’s Time Companies Told Us How They Secure Our Data and Devices.
If you have been on Twitter long enough you have probably seen someone re-tweet a company giving terrible security advice like this:
@OldArrack Hello, a long password is a great way to protect your information! For security purposes we do not allow pasting of passwords.
— TurboTax Support (@TeamTurboTax) April 2, 2017
Turbotax likely does not allow you to paste passwords because “that’s how hackers bruteforce accounts.” At some point, that may have been true.
But today, the sensible approach is to allow users to paste in passwords so they can use something properly strong. I don’t know about you – but I find it pretty difficult to type a secure password like “1mPYY!2Lx@tz” correctly every time (note to self – change password).
So then why do companies continue to defend their out-dated and insufficient security? Masking over security with generic ‘trust us it’s fine’ answers is a crutch used to justify out of date practices and poorly thought out policies. It’s a non-answer, like those arguments you would get stuck in with a kid sibling – Why? Because. Why? Because.
Yesterday I came across one of the most ridiculous examples in a while, courtesy of the Twitter account passwordistoostrong:
— Maciej Kula (@Maciej_Kula) July 20, 2016
Between 9 and 10 characters! And when questioned, Moorepay fell back on a perfectly generic excuse:
@Maciej_Kula Thank you for your feedback, our password policy is industry standard in relation to the data we hold on the system.
— Moorepay (@Moorepay) July 21, 2016
Which industry standard is that? Name it.
While this tweet is from last year, it’s emblematic of a systemic problem: Companies routinely under-invest in security and think it’s okay to brush off our concerns with generic responses about best practices. That this is “for security purposes.”
“For security purposes” joins “we take security seriously” (and its sibling, “we take security very seriously”) in the book of empty excuses for why a company failed to protect its users.
Back in the 80’s, Harry Frankfurt, an esteemed philosophy professor at Princeton, wrote an academic treatise titled “On Bullshit.” The piece discusses the rampant amount of barely-truths, which Frankfurt calls bullshit, that permeate our lives. We see it. We recognize it. But as Frankfurt says, we benignly accept it.
There are a number of qualities to his definition of bullshit, one of them being that “it must be deficient in meaning or that it is necessarily unimportant.”
“For security purposes” definitely fits the bill, but we allow it anyway.
We are in a security crisis right now. That crisis is the ransomware WannaCry (aka WannaCrypt). But, that’s just the flavor of the week. The real crisis is the dangerous ‘check-the-box for compliance’ mindset that many businesses and organizations have when it comes to keeping their systems secure and their users’ data safe.
How many times do we have to be harmed by poor security before we start demanding more from companies? Troy Hunt recently added another billion stolen account credentials to his Have I Been Pwned? service. Seriously. Another billion.
Businesses aren’t using HTTPS. They are storing our passwords in plain text. They are months behind installing critical security patches.
But this is not just about bad data hygiene anymore. There are lives at risk, literally. The WannaCry ransomware wreaked havoc through England’s NHS, shutting down hospitals. Devices that are being installed inside of people to keep them alive can be controlled and disrupted by attackers.
Canned answers about “security purposes” and “industry standards” aren’t cutting it. It is insulting that companies think they can take the same ‘check-the-box’ attitude for public statements. “We take security seriously” addresses the problem only in the literal sense that the words were spoken.
It’s time for companies to cut the bullshit and show their users that they are secure. Start by storing passwords properly and letting us know it. Show that your software and devices have undergone regular audits. Prove to us that you take security seriously – go above and beyond – because just saying it doesn’t mean a whole lot anymore.