And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.
This is a tale as old as time. At a prior gig, IT took away touch ID for ... $reasons. ~40% of the engineering team was already big into mechanical keyboards so it only took one person to "just FYI, VIA allows you to program macros". Is it _as bad_ as password on a sticky note? Not quite but I can't imagine that touch ID was _more_ of a threat.
It became so prevalent that whenever we were planning anything, if a task had to be done by someone outside of our team, we added 20 days.
Security through eternity I guess ?
Getting organisations to act on the obvious if it requires changing is harder than you might think. Having research to point to and saying you are doing the wrong thing and now you've been told is like turning the lights on and off really quickly and moaning "Liability" in a spooky voice.
And tbh when you apply those standards with context and are faced with people bare-minimum pointing at the standards, you sometimes come off as less knowledgeable - such is the authority of research/standards.
Anyway, I skimmed your profile and learnt a new word, milquetoast - so thanks for that!
CRUD apps can contain very sensitive data, so not sure how that’s relevant.
I get that the hybrid method might be desirable for contractors or similar who have many hats, but for a regular employee it just adds friction for no benefit.
The Matrix was not fiction. Our modern internet is a system. You have to figure out how to live truly free from it, because it absolutely owns you.
__
Revelation 13:16–17
“And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark…”
1. Enter a password to decrypt the computer
2. Enter a username and password to log into my account
3. Enter another set of credentials to access the corporate VPN
4. Enter another username and password to access the network the VM is on
5. Enter another username and password to get to the actual machine
6. And then navigate a nest of authorization for docker/git/etc to actually do anything useful
It's shocking how little people are paying attention to this upcoming security nightmare. It wouldn't take much for a bad actor to poison an AI session to wait for you to start selecting yes, yes, yes and then slip in something bad.
Incidents are inevitable at scale, but risk management at scale is an append-only operation that eventually becomes so complex and suffocating the only recourse is noncompliance.
Even going to the doctor I find myself pleading with the staff to just let me see my PCP instead of going through the full process. It takes 30 minutes now to get through the opening interrogation about overseas travel, human trafficking, vaccine awareness, anxiety and depression panels, domestic violence questions, multi-part questions about recent falls, and everything else that they keep tacking on. Usually in triplicate, waiting room forms, questions from the nurse, questions from the doctor.
And I know behind each of these individual decisions there is a horror story or someone proactively trying to prevent one, but altogether they create their own.
Some personal highlights spread across multiple jobs:
- IT decided they'd make some awful SharePoint page the browser homepage for Chrome via group policy. That page required you to login to your Microsoft account. If it was a Monday morning you'd have to authenticate via SMS just to see your homepage, or, what I did usually was ignore it. Every time I opened a new browser tab I'd get a new SMS. This went on for weeks at a time, maybe 50 SMS per day, out of spite. Eventually they disabled that crap. Anyone that deals with Microsoft logins knows that "Remember me" is almost totally a fake option that does nothing on purpose. [1]
- VPN that requires logging into your Microsoft account, which then sends you a notification to Microsoft Authenticator app, which requires a face scan, followed by typing in a code, followed by another face scan. At no point in the design process of that did someone think typing the code was redundant.
- Despite being a software engineer, able to produce executable binaries at will, which all seem to be trusted by our security software, I still need to talk to IT maybe 5 times a month to get <very popular well known widespread development tool> approved by the security software.
- Bonus points for the previous one, I often need to manually provide the exact DLL's used by the above. Every update means new file hashes, meaning repeating it all over again.
- Local admin rights to my work machine and yet for whatever reason IT make us type a password to open Windows Task Manager.
- Telling us all they have bought Copilot licenses we should use, only for IT to ring you almost immediately after using it because their corpo-garbage firewall starts throwing a fit about Copilot's requests to github.com, despite us already using GitHub.
[1]: https://www.bbc.com/future/article/20150415-the-buttons-that...
The modern landscape is frustrating because that setup actually works. Passwords, from a technical perspective, are actually great and are are bulletproof as long as they don't leak. No 2FA required. The entire issue is data leaks and phishing.
dijit•1h ago
Preaching is not a strong motivator for long.
carefree-bob•1h ago
The effect of that is that by requiring frequent rotation, the organization is effectively training their users to have a single permanent password and to never change it, even after a compromise. That's extremely harmful. At least with permanent passwords that are force rotated after they show up in database or there has been an incident, you have a much higher percentage of compliance with making new passwords, and the organization is safer because everyone isn't using passwords derived from the previous password.
mysteria•1h ago
You can probably guess what happened, and that was that no one remembered their passwords and people wrote it down on their pads or sticky notes instead.
GoblinSlayer•56m ago
SAI_Peregrinus•44m ago
bluGill•51m ago
A password manager is better for most things, but you need to unlock the password manager somehow.
mystraline•46m ago
What does that mean? Passwords are stored in textiles accessible by admin only, and shared. And everyone is worse for it.