alt Hacker NewsThis has the energy of "Remove all DEI initiatives because we have solved workplace discrimination."
> This kind of advice is well-intentioned but misleading. It consumes the limited time people have to protect themselves and diverts attention from actions that truly reduce the likelihood and impact of real compromises.
I dislike any methodology that claims its intent is to talk down to people for whatever declared reasoning. People are capable, and should be helped to make decisions based on all available information.
> Regularly change passwords: Frequent password changes were once common advice, but there is no evidence it reduces crime, and it often leads to weaker passwords and reuse across accounts.
When I worked as a security professional the breaches were nearly always from someone's password getting leaked in a separate public breach. If those individuals had changed that password the in house breach would have been avoided.
> Use a password manager
Sage advice.
Replies
> > Regularly change passwords: Frequent password changes were once common advice, but there is no evidence it reduces crime, and it often leads to weaker passwords and reuse across accounts.
> When I worked as a security professional the breaches were nearly always from someone's password getting leaked in a separate public breach. If those individuals had changed that password the in house breach would have been avoided.
You completely missed the point. The good advice is to not reuse passwords. That alone would have stopped the in house breach.
> People are capable, and should be helped to make decisions based on all available information.
To relay a quote, with the source not being very important: "I'm not going to waste a dime on cybersecurity when my officers need bullets and armor." People can be intelligent and capable and have minimal (if you're lucky) bandwidth or tolerance for cybersecurity advice. It's not the crisis they see every day. The advice given to unwilling listeners has to be focused and prioritized.
And... Password leaks and therefore rotations aren't an issue if people are using a strong main password for their manager. Then a leak doesn't transfer to another account and the manager will loudly tell them when a password is found in breach data -- which lines up with NIST's modern advice of avoiding password complexity and rotation, since they've found it to lead to minimal (at best) gained security.