Cybersecurity Torments

[aggienaut]

I've had a general disagreement with "cybersecurity experts" for awhile now, and its lately been exacerbated by working for the state government. Because cybersecurity hinges on a knowledge of computers and programming that might as well to be sorcery to those who don't specialize in it, I think they've been allowed to run unchecked by the basic thought processes of reasonableness that govern other functions.

Namely, these cybersecurity folks think up every possible conceivable way they could make it harder for an unauthorized person to log in to something, but they don't take into account any sort of cost/benefit analysis, either in terms of money or even security.

By which I mean, for example, a password that's a jumble of letters numbers and symbols is maybe hard to guess, sure, but its also impossible to remember, forcing people to either write these passwords on a physical paper on their desk (often taped to the monitor), or save them all to the computer, so that if someone does physically gain access to your desk its all perfectly smooth sailing in from there. Comparatively remembering one to three words is a synch and the odds of someone getting a program hooked up to your access and cycling through every word combination till they come up with it without setting off other alarms is infitesimally small. The requirement to have at least one number and symbol in the password makes it impossible to do this without at least some hard to remember symbology being added.

As I said working for the government has made that more difficult. One has to log in to one's devices, and also the microsoft network, wit so many different log ins and multi factor authentications that most of my coworkers don't actually use their work phones. I use mine to make work related calls but it logged itself out of the microsoft network and I can't be bothered to fight WW3 all over again to get it back on so it's no teams for me via phone.

Also the pin number needs to be reset every three months. I don't know what the cybersecurity goons think is happening here, does some malicious actor physically gain access to my phone for 10 minutes a week and systematically try numbers and we need to stay ahead of him? The only real result of this is while I was able to use genuinely nearly-impossible-to-guess number combinations I could remember for the first two iterations but after that I obviously have had to resort to other numbers I could reel off from memory which are inevitably going to be phone numbers or birthdays and much much much easier to guess than the basically impossible original numbers (and no it won't let me repeat a number I had had before, god forbid).

I was traveling for work this past week and thouguht I'd take my work ipad to travel light. But after three incorrect login attempts it locks me out for awhile, and when I finally got in it told me it was time for me to change the password again, in fact wouldn't let me do anything until I did so, but wanted me to enter the current passcode before setting a new one and .... yep, I failed it three times again and got locked out. (so went the week without using the ipad)

Like, seriously, this is unreasonable.

I'm happy for added security to enter my bank account, but other than that, including for work, there's simply no risk that even remotely equals the added amount of frustration all these impossible-to-remember multi factor authentication things are burdening me with.

Cycling back to the beginning of this, the cybersecurity wizards think up a way something can be "more secure" but they don't think about whether it addresses a realistic danger or do any cost benefit analysis on user burden vs security. They pitch it via powerpoint to the suits, who live on cost benefit analyses but they don't math the use burden, just that it could save them "billions" (the cyber-druid no doubt pitches them worst case the-whole-company-data-is-ransomwared case) and the trouble any individual user is caused by it doesn't add up as a cost to them, so they give the security warlock the go ahead to torment all the staff with it. Staff end up taping passwords to monitors or using their wife's phone number as the pin code, making it easier for someone genuinely bent on hacking the computer to actually do so, but the nocturnal socially maladjusted cybersecurity witchdoctors don't concern themselves with that. Frankly I think a majority of them got a certification in cybersecurity from the grand dragon of cybersecurity professionals and is far more concerned with lording their knowledge over the IT-muggles than actually critically thinking about the whole thing.

Comments

[adafrog.livejournal.com]

Word.

[livejournal.livejournal.com]

Hello! Your entry got to top-25 of the most popular entries in LiveJournal!
Learn more about LiveJournal Ratings in FAQ (https://www.dreamwidth.org/support/faqbrowse?faqid=303).

[lenine2.livejournal.com]

You have my sympathy. MFA isn't too bad when it's personal stuff, but my work stuff is moronic. My windows password has to be 11 characters. Of course everyone puts "1234etc" at the end to make it that long. Everything goes through PingOne. I was lucky enough to have mine set up on my desktop by someone who was old school. Everyone else has theirs on their personal cell phones. That means they have to run over to the windows to get service on their phone for the six-digit code, then run back to their desk and hope it hasn't expired. Meanwhile, all of our databases have the same password. No individual accounts — one account, one password, for all databases.

I have a rule that, if my employer wants me to use a phone for work, they need to give me one and pay for the service. It's funny how quickly they find other options.

[wpadmirer.livejournal.com]

I have a half-time job working in physical security a the local utility company, so I understand exactly what you're saying. We use pins for our badge readers in physical security — but we don't demand they be changed. They are secure in our system because even WE cannot access what someone's pin number is, once we enter it. The security system we use encrypts them so we can't get them. If someone forgets their pin, they have to make a new one.

Also, we only change our passwords every 6 months. That works fine.

IT Security people are nuts. When we were setting up pins they insisted they put it in (on my computer, as it's the only one it can be done on), and that I stand across the room so I wouldn't see it. AND they complained it was only four digits. They wanted at least 6.

[onelargecat.livejournal.com]

SO FRUSTRATING.

[newwaytowrite.livejournal.com]

Frustration aside ask the department to pay for a password manager app.