Password less logins are now a thing with several companies. Forcing them to remember lots of different passwords backfired and necessitated password managers. We need to make it simpler for them to stay secure, not harder. There's a group of users for whom all this security stuff is just way too difficult. Ultimately, that's why we need to get rid of passwords. It helps but people default to doing the wrong things. And yes, we do have a security policy that spells all of this out. But it's not really a scalable solution because I don't have the time or patience to coach all of our people. But at least they now come from a password manager. From what I've seen she doesn't and she uses a small set of easily guessable passwords all over the place. Bonus points if she starts using 2FA for her private accounts.
Next she'll be using it to use generated passwords. And then I discovered that she was copy pasting passwords from this stupid text file. The reason I discovered this was that I had to talk her through setting up 2FA for our company's Google account because she lost her phone. This is what real people do when you confront them with a lot of complex security. I recently had to coach a co-worker to do something more sane than store her passwords in a plain text file on her private Google Drive (seriously!). While putting some bumps in their way at this point is nice, I guess, there's nothing stopping them from keylogging their way past any password manager you choose. The attacks your links are talking about start by assuming someone has full access to your computer. Here is where your parent's comment on Google's security is relevant: Google (disclosure: I used to work there) has an excellent security team and there are few companies I would trust more to keep cloud vaults secure. For (3) you want disk encryption, which is now standard on phones and is an easy option on laptops as well.Īfter these, my next concern would be compromise of the cloud-based password backups. Lost device, where someone finding it can easily impersonate you on any site you're logged into.Ī password manager handles (1), and if it auto-fills reliably on websites (as Chrome's does) that handles (2) as well. Phishing, where you enter your password on a fake login page.ģ. Password reuse, where a relatively unimportant account (shopping site) getting cracked gives the attacker the same password you used for a critical account (email).Ģ. The biggest threats I see for most users are:ġ.
It's all a question of your threat model.
0 kommentar(er)
