Guy who knows everyone has weak passwords, tells them it’s their fault they get hacked, yet, it’s not their fault he has their passwords. – good talk.
I spent some of Thursday and Friday trying to convince some twitter-famous people that they were not correct in blame/shame/pushing accountability on customers for having ‘shit’ passwords …
Quite simply put, they believe that if an account is compromised due to weak credentials that the customer has given, that customer should bear some of the responsibility, regardless of the system’s posture.
Here is why I disagree with them:
I’m fairly confident human behaviour is a variable, people reading this will probably be tech savvy, but there are a lot more people that aren’t, how does my idea of a good password compare to my granny or a child or someone that really doesn’t care about the service they are using –
My approach to this consideration is simple, assume it’s a variable, treat it as one.
The reason for my comments was in regards to Credential Stuffing … you know that password you use for those different sites? That don’t have two form authentication available/ enabled? …well those are susceptible to credential stuffing.
The attack is simple, Internet shitheads will scrape your compromised credentials from all the vulnerable sites that have been hacked over the past few years (because security hasn’t been taken as seriously as it should have by the platform provider) and blast websites with weak defence and weak authentication mechanics in the hope of successful logins, then sell those accounts or access your stuff, harvest it, use it to some advantage etc…
Anyway, I argued that it’s backwards thinking to create a service that allows poor passwords but even with good passwords, if the website has security flaws, that good password will just end up on a list for internet shitheads, so with no 2FA/MFA all roads point to implementing 2FA/MFA, thus allowing for (arbitrary) “good” or “bad” passwords* – a variable, to then be entitled to receive an out of band interaction to a device you own or provide other MFA information, so if your password is compromised (as my Steam account was recent) I just got a notification on my phone saying login from the Philippines ? I cancelled it, logged into steam changed my password, nothing lost from me except a few minutes, nothing gained from the attacker apart from fleeting confidence GTFO.
It’s a bad question to ask… here’s a good one
> What’s the least intrusive MFA/2FA journey that you like? Google? Authy, Authenticator, SMS, Email? Other ? and deconstruct the customer experience, and it’s availability and accessibility maybe even prompting improvements to the ones we don’t like.
Kettling customers into ownership of an inadequate systems weak authentication mechanic’s and using their password choices as the reason …creating a place for those bad passwords to exist without two form authentication … what does it really achieve apart from looking sanctimonious?
You use bad passwords, we let you, now you got hacked.
you use bad passwords, we let you, but we have 2FA.
In the meantime credential stuffing could be reduced if cloud-flare or other services could identify the differences between residential and non-residential addresses, I think Google ReCaptcha does, I’m not 100% sure, but with the implementation effort of that, perhaps 2FA could go in just as quickly?
This is a ranty post, I find it hard to stay quiet when bad advice(?) has a large audiance, and I know from working with many engineering teams, you can’t just turn 2FA on, (unless there is a compliance issue ;)), I know that there are businesses out there that are too scared to even update their password hashing incase everything dies and I know that good people leave less-good people with difficult problems, engineering is tough, but attacks are getting easier, we cant use the internet like its the 90’s anymore, Data crime is a thing, hacking is a thing, GDPR, PCI, what else ? oh an angry UX team for making them introduce a new step in a customers journey to using the service… execution is hard, offsetting accountability of a problem that tech has created is lazy, pointless and agreeing otherwise and influencing people otherwise will only slow things down for us all. Customers are variables. Expect good and bad, act accordingly.
If you want to follow the exhausting threads click below,
The problem with the threads is that if things get too exciting in the threads, a blog/vlog is created that then turns into a broadcast message as opposed to interactive conversations, and I’m mostly getting smashed in by Troy’s receptionist. (I say that facetiously because he’s a smart guy, and knows fine well what my points were, and wasted a lot of my time, but … did give me a platform to debate … silver lining.)
Password Responsibility Poll Ignore references to the volume of bias troy fans sighted as legitimate global opinion, it’s just twitter, but people are still listening.
A Compelling piece from Javvad https://www.j4vv4d.com/victim-blaming-by-any-other-name-still-smells-just-as-bad/