Monday, August 6, 2012

Security Rant

Ok, I read... I read a lot. Twitter, news articles, blogs, books, magazines, websites, basically anything that crosses my path. As do most people in the IT and Infosec worlds. Why? Because, Information is valuable. It was once the core belief of "hackers" that information should be freely available, but that is a rant for another time. Today I was pushed over the edge by this article ( Specifically #1... Now before the core of my rant let me just say that the other four items are however solid pieces of advice. Do them! Do them to a "T". 

Now.. the rant......

For the love of all that is holy!!!!! The title of the article is FIVE WAYS TO PREVENT YOUR ACCOUNT FROM BEING HACKED, and your first suggestion is 'go to this random page and input your password to test its strength'.... SERIOUSLY?!?! I really don't care who runs the site or how secure they claim it to be. You should never be telling people to put their passwords into random sites! The average person does not realize the difference and in the end all you are doing is conditioning Joe Public to trust any site with the keys to their kingdom! Yes, some people need to re-evaluate their passwords, but this is not the way to get them to realize it. How about just providing a ranking criteria for them to do a self evaluation... like length, use of numbers, special characters, Alpha-upper, Alpha-lower, maybe even number of each, this could accomplish the same goal.... but NEVER tell them to volunteer their password to ANYONE no matter how seemingly good their intentions may be!!

While I am currently singling out this article/site this is not the only place I have seen this suggestion in the past few months. It usually pops up like clockwork after a password breach or a high profile hack. I am all for constantly reminding people that they need to have good passwords, but I am begging you... if you have the ability to reach people in mass and inform them, do not do it in such a way that conditions them into foolish practices.