
The Effectiveness of Publicly Shaming Bad Security - MandieD
https://www.troyhunt.com/the-effectiveness-of-publicly-shaming-bad-security/
======
nickray
[https://login.swissid.ch](https://login.swissid.ch) does this too: disallow
password managers from filling out the login. Upon asking them to fix:
"Autofill completion is not allowed by us for security reasons. First, if
that's the case, if someone gets to your PC, we can stop a hacking attempt and
that's one of many reasons. For other questions, we are at your disposal."

They also only enforce SMS as two-factor authentication.

The idea of this SwissID is to become a nation-wide identity service, yet they
manage to do everything wrong. Yeah, this annoys me to no end :(

~~~
dcbadacd
Can someone explain what security does forbidding pasting provide? My brain
just can't comprehend it.

Also, would a fix be a password manager that just ignores the forbidding or is
it done with JS somehow?

~~~
probably_wrong
A couple (bad) examples I can think of:

* you leave the password in the clipboard, and another website copies it (used to be a thing, I think it's patched now)

* same case, but now a coworker comes to your unattended PC and retrieves the password by pasting it somewhere

* allowing pasting would undermine the idea that you should never write your password down, and lead to a proliferation of files called "passwords.txt" on everybody's desktops

None of this arguments is really good, but I can believe that they would be
the result of a world without widespread password managers (also known as "the
90s") and tradition.

~~~
davidhyde
Using the clipboard at all for security related things like temporarily
storing a password is a bad idea. The clipboard is a big public billboard
visible to anything running on your computer.

The fact that password managers use it at all is simply because it is the only
hack that works to reliably get data into password boxes. Yes, its a hack. The
HTML5 spec should have exposed a mechanism to securely insert data into an
element tagged for such a purpose. A one way mechanism.

~~~
hiccuphippo
Does any password manager uses a virtual keyboard to type the passwords in?
That would avoid using the clipboard, but wouldn't work with one of my banks
which doesn't even have an input box. They show a keyboard on screen and you
have to click on the letter to type your password.

~~~
thedirt0115
You have to type in your password WITH YOUR MOUSE??? Wow. Sounds like a great
way to make sure everyone uses the minimum allowed length for their
passwords...

~~~
sb23
One of mine has this mouse-to-type feature coupled with numbers only and max
length of 6...

------
abarringer
Troy and Krebs should team up to create a security hall of shame and only
remove companies when issues are fixed.

We have security vendors who have sslv2 enabled and they can't understand why
that's an issue.

We have huge fortune 250 companies that we exchange full credit card data with
that have TLS 1.0 enabled with Symantec certs and only two weak ciphers. I
sent them an ssl labs report and they accused me of breach of contract for
hacking the site.

This list of security and finance related vendors that are double facepalm
worthy is just astonishing.

~~~
tombrossman
I'm doing this in the community where I live and I have discovered that it is
super effective. I send an email to each company explaining a security problem
with their site (currently focusing on simple lack of HTTPS for form data, and
not mentioning the public disclosure because I want to see who fixes things
because they care vs. those just avoiding negative publicity) and if they
haven't resolved it or replied within a week, I list them publicly on
[https://www.insecure.org.je](https://www.insecure.org.je).

The site isn't winning me any design awards and needs expanding of the advice
articles, but dozens of local companies are immediately spurred to action when
they appear in the "Sites requiring extra caution" section. Thousands of local
users have directly benefited by the added security, even though they are
completely unaware of why it was upgraded.

The reaction from some business has been very predictable, with a mix of
hostility, threats, confusion, outright lies, but enough respond politely and
want to fix things, and I go out of my way to help those who want to learn.

Source is public and if you want to try this locally, I highly recommend it:
[https://gitlab.com/tombrossman/insecure.org.je](https://gitlab.com/tombrossman/insecure.org.je)

~~~
craftyguy
That is a great idea! Do you reach out to companies after adding them to the
public list of shame letting them know, or do they eventually discover then
are on it? I may have to implement this..

~~~
tombrossman
No, I just list them and I do not send any follow-up message. Many do find out
immediately though, because others tell them about it. I seem to get a lot of
referral traffic from LinkedIn after doing updates, so I guess someone is
posting about it over there.

I had someone well known in the local tech community call it "The most
unprofessional thing I have ever seen" but later he was using it as a sales
tool to persuade one of the companies listed to hire him to upgrade their
site. I don't condone this but once the info is public I can't control what
people do with it.

------
nathantotten
> You see, they knew this process sucked - any reasonable person with half an
> idea about security did - but the internal security team alone telling
> management this was not cool wasn't enough to drive change. Negative media
> coverage, however, is something management actually listens to.

I could not agree more with this statement.

------
coleifer
I have compassion for these people who made these ludicrous comments -- they
clearly aren't cryptographers or digital security experts. Let's separate the
people making these comments from the corporations they represent.

Public shaming of a person is never the right response, in my opinion -- live
and let live.

Public shaming of a corporation, on the other hand, may be the only way to get
the attention of the decision-makers.

Let's be kind and compassionate to individuals.

~~~
chasing
As noted in the article, they're a public face of the company. If they don't
know the actual answers to questions being posed, they should reach out to
someone in their organization who does, not make stuff up.

~~~
crtasm
I agree but after seeing a lot of these think some of their presented facts
_were_ from someone higher up - though maybe informally, maybe pasted from a
internal FAQ.

~~~
chasing
Then something is internally broken at that company, and -- again -- the
people who act as the public face of that company run the risk of having the
resulting ire directed at them. But it's not personal -- it's their job to act
as a proxy for the company in the public sphere. If they're being endlessly
attacked by people because the company is doing something wrong, they need to
send that information up the flagpole to their higher-ups.

------
QasimK
I really dislike websites that prevent the use of password managers by
disabling the ability to paste. Recently[0], I discovered that you can stop
websites from doing this in Firefox by setting
_dom.event.clipboardevents.enabled = false_. This has already improved my
quality of life slightly.

[0]:
[https://gist.github.com/0XDE57/fbd302cef7693e62c769](https://gist.github.com/0XDE57/fbd302cef7693e62c769)

~~~
Joe8Bit
While true, it’s a bit of a blunt force solution as it prevents _all_
clipboard events (e.g. no ‘click here to copy’ anymore).

That may be a reasonable compromise for some, but I’ve seen some weird broken
behaviour as a result of people using this FF toggle.

~~~
SOLAR_FIELDS
Could you have an extension with a toggle that turns it off temporarily only
for password entry? Or even better UX, integrate it into the password manager
extensions such that the temporary action is invisible to the end user? It
would toggle the switch off during login, and toggle it back on after.

Perhaps it's not a good idea to code too much browser-specific behavior into
this stuff on the other hand.

~~~
donatzsky
There's an extension already that does that. It's called Don't Fuck with Paste
or something like it.

------
AdmiralAsshat
An add-on/extension I've found useful for combating this behavior on certain
financial websites is Don't Fuck With Paste:

[https://chrome.google.com/webstore/detail/dont-fuck-with-
pas...](https://chrome.google.com/webstore/detail/dont-fuck-with-
paste/nkgllhigpcljnhoakjkgaieabnkmgdkb)

[https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-
wi...](https://addons.mozilla.org/en-US/firefox/addon/don-t-fuck-with-paste/)

------
murph-almighty
I can think of one exception to Troy's claim: companies that hold data of
people who aren't their customers. No amount of shaming Equifax would have
fixed their practices, because we can't choose to not have our data collected
by them.

------
manigandham
The worst offenders are _max_ password length limits, especially tiny ones
like 8 characters. It's a guarantee that the service does not properly hash
and store passwords.

~~~
jedberg
That usually happens on banking sites because their system is backed by an old
mainframe that can only handle 8 characters. The second thing you said is
right though -- they probably have terrible security on that mainframe.

~~~
chatmasta
NatWest goes a step further and asks you to enter (for example) “the 1st, 5th,
8th and 9th character of your password.”

I saw a comment once explaining why this might make sense to prevent replay
attacks. But it seems awfully absurd.

~~~
jedberg
Not to mention it means they are storing the password in plaintext.

------
zimbatm
It's quite scary to think that a bank only fix obvious security issues after
public shaming. There are a _lot_ of internal services in a bank that are not
exposed to the scrutiny of security researchers and will therefor never get
patched.

~~~
lolc
Yes! What does it say about internal security if a bank leaves its mailbox
unlocked. (The postal equivalent of not using SSL.)

For those that would prefer other methods because public shaming doesn't fix
everything: Let's look at some scenarios what (successful) shaming of publicly
available services could do:

1\. lead to audit and discovery of the issues in the internal services 2\.
bolster the argument of internal people who argue for security improvements
3\. reset priorities to fix issues in public instances instead of fixing
internal ones

~~~
user5994461
It's not comparable. A mailbox is in a physical location and you have to be
next to it to use it.

An email box is specifically meant to be opened anytime from anywhere on the
planet. It's insecure by design.

~~~
lolc
Agreed but I wanted to compare an unlocked mailbox at a bank to not using SSL
on their website.

------
cocoflunchy
Meanwhile 90% of the banks in France use a 6-digit password that you can't
paste because you have to enter it by clicking on a super-secure-random
grid... [https://imgur.com/a/q91JDXi](https://imgur.com/a/q91JDXi)

Maybe Troy Hunt can publicly shame them into more secure practises but I'm not
hopeful.

~~~
user5994461
It's secure. It defeats keyloggers and it prevents the password from being
remembered by the browser and enumerated.

It's usually a PIN that is set by the bank rather than the user, to prevent
people from using 123456 or their date of birth.

~~~
loeg
It only defeats keyloggers that don't record the mouse.

~~~
user5994461
Recording the mouse doesn't allow to extract the password. You need to record
the display too.

------
marek995
A question: I know of some companies and banks with such issues. I am no Troy
Hunt - what would you do about this? Public shaming doesn't really work when
you aren't a public person. Also this is in non-english environment, so there
are no such public figures...

~~~
mayneack
Most of those Troy Hunt examples were submitted to him by non-public people.
You could probably just email/tweet him.

smaller scale:
[http://plaintextoffenders.com/](http://plaintextoffenders.com/)

------
pentae
"Now, keeping in mind that the username is your email address and that many
among us like cake and presents and other birthday celebratory patterns, it's
reasonable to say that this was a ludicrous statement."

This is when I lost it. Bloody good read.

------
amarant
the worst of all are those that allow you to paste the password when you setup
the account, but not on login.

this leads to a situation where I have a 100 digit hashed password I have to
type in by hand.

usually I just create a new account, preferably somewhere else.

~~~
drakenot
I created an account for a 401k vendor that our company recently switched to.
During the registration process I used a password manager to generate a 14
digit random password.

Imagine my surprise when I went to login to the newly created account only to
find out that the login screen enforced a character limit of 8 characters
(both with a textfield attribute and js). This limitation was not enforced
during registration!

I had to edit the page in developer tools so I could actually paste my full
password to login. The limitation was purely client side.

~~~
amarant
haha whaat? they had a limit of 8 chars MAXIMUM? that's usually the minimum
limitation!

at least they had implemented the first rule of it-security: perform all
checks client-side only ;)

------
adrian_mrd
It would be interesting to ascertain how many times users' on social media
flag a security problem to a company's social media team that isn't actually a
security problem? In other words, how many false negatives get caught too?

Troy Hunt's post is really told from the victor's perspective (likely a bias
rather than intentional or arrogance), but to form a well-rounded view,
understanding how many false negatives would likely help...

~~~
gowld
If the flagging is respectful and the user is mistaken, either they will
apologize for the mistake or it's up to the community to lower that user's
influence. Troy Hunt is retweeted and upvoted and made famous because he has
built a good reputation.

------
oxplot
I wrote about non secure contact pages of various banks in Australia back in
2014 [1] and sent them all private messages. Didn't hear back from a single
one saying they were working on it. Haven't checked lately to see how or if
they changed.

[1]: [https://blog.oxplot.com/non-secure-contact-
page/](https://blog.oxplot.com/non-secure-contact-page/)

------
richrichardsson
I had a bit of a rant in a job interview about how storing plain text
passwords was something only idiots do. I got the job and lo and behold the
main feature being worked on when I started 3 weeks later was "encrypt
passwords field". So even inadvertant direct private shaming can effect
change!

------
srinivasan
Didn't browsers take a stand a few years ago by ignoring "autocomplete=off" on
password fields?

I think it’s about time browsers start ignoring any onpaste events on password
fields. I’m curious what Chromium folks think - have there been tickets about
this? It would be a great way to end this dumb practice.

~~~
kevincox
Firefox has the dom.event.clipboardevents.enabled pref which can be used to
prevent a lot of web naughtiness however it does break a couple of legitimate
use cases.

~~~
aaronmdjones
Firefox also has signon.storeWhenAutocompleteOff (default true) which ignores
such hints.

------
lbriner
It's sad that what Troy is arguing for sounds like the best we can expect
right now and he is probably right. Ideally, there would be mandated processes
for any commercial company like any serious security vulnerability must be
fixable within x hours/days (if a fix is available) i.e. the excuse can't be,
"we don't have the means or money to fix that right now" and there are certain
things that seem to be accepted knowledge in the security community (like
password managers) that somehow are allowed to be circumvented by random
companies because they decided so.

The real question is why isn't there a mandated list of global best-practice
for web app security that can direct any acceptance test of any web site?
Can't people like isaca and isc2 agree something and make it the gold-
standard?

~~~
zentiggr
And every manager (but for a few well informed) will scream every time that
gold standard has to be adjusted for new zero-days and completely new vectors
etc etc, forcing rewrites over and over.

Never underestimate the power of inertia.

------
kodablah
> But the hesitation quickly passed as he proceeded to thank me for the
> coverage. You see, they knew this process sucked - any reasonable person
> with half an idea about security did - but the internal security team alone
> telling management this was not cool wasn't enough to drive change. Negative
> media coverage, however, is something management actually listens to.

Sounds like justification for bad-security whistle blowing too. The downside
of encouraging it is that you are easily deanonymized if you had attempted to
bring it up internally before. We need a, possibly crowd funded, corporate
bad-security whistle blowing foundation that contacts your own company on your
behalf and then publicly shames them if they don't fix the issue.

------
Steer
The Swedish Bank ID also disallows copy/paste of passwords. When I contacted
the company that builds the solution I got more or less the same response, "it
is safer for normal users" which I didn't really understand. Highly annoying.

~~~
zorked
I have heard the argument that regular users often believe that copying and
pasting passwords makes them immune to keylogging, so allowing that will cause
some of them to keep a copy of their password on a plaintext file on their
desktop where otherwise they would just type from memory.

Not sure if that's what banks are thinking about.

~~~
hazz99
Probably a dumb question, but doesn't copying & pasting protect against
keylogging? The only key events being sent is CTRL+C and CTRL+V (or the mouse
equivalent), and not the password keys themselves.

 _Obviously_ this is an extremely bad way to "protect" yourself (since you
keep your password in plaintext on your PC), but it does protect against
keylogging, right?

~~~
TheCoelacanth
Maybe keylogging in the strictly literal sense, but I think most software
"keyloggers" log the clipboard too. I suppose it would protect you from a
physical keylogger.

~~~
user5994461
To clarify, it is not a maybe, keyloggers definitely monitor the clipboard.
It's one of the most basic features of a key logger.

Another basic features is logging the active window/process to know where the
user is currently writing to.

------
chatmasta
I tried [0] to stir one of these up for coral.co.uk which also forces (via a
downgrade redirect) insecure login over http. Unfortunately my tweet didn’t
get much attention, although I did get the “Don’t worry! You can login without
any doubts!” reply from Coral.

Not sure if it’s still the case (think they recently did a redesign and
hopefully fixed it; I’ll check tonight). If it is, I would appreciate some
more attention on this issue!

[0]
[https://mobile.twitter.com/milesrichardson/status/1017195538...](https://mobile.twitter.com/milesrichardson/status/1017195538213634049)

------
Dirlewanger
I can imagine it's a really shitty situation for e.g. smaller banks here in
the US. Most of them don't have the resources to build their own custom back
end services, so many outsource the tech. And then shit like Fiserv getting
hacked the other week happens, and not only is Fiserv's reputation hurt but so
is all their client's.

I'd love to "bank local", but when shit like that happens, the only way I'd
feel safe with my finances is by going with the Bank of
Americas/Fidelity's/etc. over Mom & Pop Credit Union.

~~~
gowld
That calls for startups to build good tech for these companies to all use.

~~~
Dirlewanger
Very, very difficult in fintech. Very high barrier to entry. The
Paypals/Venmos/Acorns of the world have been increasingly getting into the
traditional banking realm, offering checking account/debit card products, but
their back ends are still the same old slow companies. Polishing a turd
essentially.

------
jedberg
> You see, they knew this process sucked - any reasonable person with half an
> idea about security did - but the internal security team alone telling
> management this was not cool wasn't enough to drive change. Negative media
> coverage, however, is something management actually listens to.

It's even better when the internal person tips off the press to initiate the
public shaming to take to management. Never happened in an organization that I
worked in, but I know security people in other orgs that had to resort to
these tactics.

~~~
gowld
Yup.

[https://en.wikipedia.org/wiki/Deep_Throat_(Watergate)](https://en.wikipedia.org/wiki/Deep_Throat_\(Watergate\))

------
peterwwillis
Ego, embarrassment, lack of taking someone seriously, ignorance, and laziness
all contribute to not taking security reports seriously, and results in
creating rationalizations to prevent fixing them.

At that point, you need pressure to create change. Shame definitely works, but
it isn't professional, and it isn't nice at all. Many people may be open to
help if you can get off of Twitter.

You can send a positive letter _through a private channel_ that details the
problem and offers help in fixing it. You can make an automated, impartial
test that clearly proves the problem and provides links to fixes. Failing
these, you can start a petition. You can have famous, well respected, and
powerful people sign it. You can add carrots and sticks, like an award for
security response, a hall of shame entry, or the nuclear option, a PR release
and interview with national media about the dangers of the problem.

Even just sending a list of these problems as they have happened in the past
and how they resolved to executives at the company is probably all the
visibility needed to get the ball rolling.

------
move-on-by
A big takeaway for me is how the internal security teams knew it was bad and
couldn't make a case for the change.

Once a process is in place, it takes a well delivered argument to make a
change. Not allowing paste into password fields is a prime example of
something that seems like a good practice, but isn't. If anyone is reading
this and needs to convince others to allow paste, NIST says to allow pasting
passwords, and that it improves security:

> Verifiers SHOULD permit claimants to use “paste” functionality when entering
> a memorized secret. This facilitates the use of password managers, which are
> widely used and in many cases increase the likelihood that users will choose
> stronger memorized secrets. [1]

People will no doubt still say it's bad, but its a fact that the National
Institute of Standards and Technology says to allow paste, and that it
improves security

[1]
[https://pages.nist.gov/800-63-3/sp800-63b.html](https://pages.nist.gov/800-63-3/sp800-63b.html)

------
gerardnll
Social media is used by companies to improve their public perception but we
cannot ‘shame’ them by its bad practices. No way. And if the Community
managers throw lies we have to also shut up? Respect always, but the ‘shaming’
are not CManagers fault because security decisions are not taken by them but
other people so they shouldn’t feel bad by the public response.

------
Animats
The trouble is, it won't scale. If an announcement like that comes out several
times a day, it's not news.

~~~
orblivion
There was the example of the company that saw the BBC article and was scared
into compliance. Perhaps if he keeps up the approach of keeping the shaming
events rare and brutal, it can be enough of a psychological effect to corral
other companies into compliance until there are only a few cases remaining, at
which point you could just go after them individually without creating a news
burnout.

------
bostik
I'm mildly surprised no-one has so far drawn the similarity to full-
disclosure. Because let's be fair, this practice _is_ full-disclosure.

Of bad practices.

And as we've seen over the past 2+ decades - FD works. Once you draw attention
to an insecure system, resources to fix it will be found. (Enough of the time,
at least.)

~~~
gowld
This is different from full disclosure because (1) in many cases the
information is directly visible to the commmon user or publicly advertised by
the company already, and (b) the insecurities aren't immediately directly
exploitable (like plaintext passwords), just a risk factor in case of a hack.

------
thomaspaine
Law suits seem to be the standard tactic for dealing with other types of
corporate negligence (for better or worse). Why aren't they employed more for
these types of obvious security vulnerabilities if you can demonstrate harm?

~~~
manigandham
Considering Equifax basically had 0 consequences, legal work is incredibly
expensive and ineffective unless someone gets seriously injured or dies.

------
arayh
This reminds me of the fiasco regarding Virgin Media over Twitter:
[https://twitter.com/virginmedia/status/595135419152474112](https://twitter.com/virginmedia/status/595135419152474112)

I think companies need to mandate some kind of improved protocol for
responding to these sort of tweet storms. It always seems to be people who are
technically inclined talking to a social media representative with little to
no knowledge of standard security practices, which leads to attempts to calm
the masses, but ultimately backfires.

------
nautilus12
So the question is why don't companies have infosec individuals seriously
looking into issues raised by a user seriously because its in their best
interest to avoid bad PR and public shaming which will be the logical next
step if they ignore it.

Is the shaming necessary? Do corporations only respond to an issue when it
blows up? Seems like bad stewardship.

------
Bhilai
Public shaming definitely works but there is only so many times you can play
this card. It may give you quick small wins but such organizations which
downplay or do not understand fundamental security concepts have many other
serious security/technical debt which eventually leads to a breach.

------
lifeisstillgood
This suggests to me a more _democractic_ approach to corporate culture /
action.

Let's say we have a giant backlog of work, each item ranked by voting by
employees

Now the security team adds their "Stop sending passwords in plain text" item.

Which companies will it get voted up in?

------
kovek
Why was the situation with the page that does not ask for credentials and does
not use https considered unsafe? Is the worry that a man in the middle could
change the Login link to a different website?

~~~
redwards510
Yes, exactly.

------
presscast
Let's take a step back and ask ourselves this: when did _banks_ end up with
some of the least secure websites?

It's so common we've become oblivious to how frightening this is.

------
orblivion
Could there also be a thing where you go out of your way to praise? It seems
that the combination of carrot and stick seems to be good for persuasion.

------
auslander
To Moderators: I claim Frivolous flagging on
[https://news.ycombinator.com/item?id=17958620](https://news.ycombinator.com/item?id=17958620)

From FAQ ... flagging a story that's clearly on-topic by the site guidelines
just because one personally dislikes it— eventually gets an account's flagging
privileges taken away.

------
auslander
The only true, safe password manager is the one that stores its database in a
local, master password encrypted file, likee KeePass(XC), open source.

Anything else is trusting third-party.

------
eric_b
Troy's stance makes me uneasy. I'm sure publicly shaming these companies is
effective, but where does the line get drawn? In my experience the infosec
community strongly believes security is the _most_ important thing, full stop.
So they feel no qualms about using every trick in the book to get their way.

But two things about this trouble me. The first is, have we decided that the
ends always justify the means? It seems in other domains public shaming is
unacceptable. Troy himself despises Donald Trump, but one of the things most
heinous about 45 is his use of Twitter to publicly ridicule and shame
companies and individuals. And now Troy is engaging in exactly the same
behavior. But it's "OK" this time? What is different?

The second thing that troubles me is security "best practices" today may not
be best practices tomorrow. Some of his example companies are using practices
that were "best" 10 years ago. What happens in another 10 years when Troy's
current advice is outdated? More pitchforks?

The security treadmill is hard for even the most modern tech companies to stay
on. I think the infosec community could go a long way to helping itself by
making easier to use tools, and writing canonical guides for common scenarios.
Setting up HTTPS to get an "A" from SSLLabs is non-trivial. Securing SSH with
perfect forward secrecy is near impossible for a mortal. There's no reason it
has to be this complicated.

Edit: To the people who couldn't get past the first sentence of my last
paragraph. I'm not saying that because the security treadmill is hard the
companies get a pass. I'm saying the infosec community has a responsibility to
make it easier to stay on it. If the barrier to securing something
appropriately was so low you could trip over it, we wouldn't have this many
problems.

~~~
vorpalhex
You're right, we should be totally OK with a company that makes profit off of
us using 10 year old outdated security techniques - we wouldn't want to be
rude.

Imagine you went to an amusement park and saw the rides were being operated
unsafely. No seatbelts, no safety protocols, no even making sure passengers
were seated first. Do you stay quiet because after all, the teenager running
the ride probably didn't invent the safety protocol? Sure, someone might get
beheaded, but you don't want to be rude.

> The security treadmill is hard for even the most modern tech companies to
> stay on

That is nonsense. If you have the resources to track me across the web, hold
vast amounts of my private information and profit off of me, you'd best damn
invest in basic security practices like SSL and encryption at rest. If you
don't have the in-team expertise, bring in a consultant. These aren't Mom &
Pop ice cream shops, these are major international companies and banks - stop
cheaping out on security to save a few pennies.

~~~
eric_b
It's this kind of morally righteous fury that bugs me. You compare web
security to unsafe carnival rides? Please.

Equifax had one of the worst breaches imaginable. So did Target. Far as I
know, no one died. You know, I don't think anyone even got injured. Did some
people have to call their bank and dispute charges? Maybe.

Not really a life or death situation was it? I don't think Tesco or Betfair
are really life or death either? Sure they should have better security, but is
it worth becoming an angry mob about it?

~~~
vorpalhex
My mother spent two months without a functional credit or debit card because
her identity was stolen and it took a marathon of paperwork and disputes.
Thank goodness she has family who was able to give her a sizeable amount of
cash during that period. I suspect many are not so lucky.

What about people fleeing abusive spouses or other folks who have a very real
reason to keep things like their address under wraps? There was a training
school that recently leaked the addresses of it's participants - several of
whom were undercover police officers. Don't get me started on the OPM breach.

Just because a breach doesn't affect you very much doesn't mean there aren't
serious consequences. When every single business has horrendous amounts of
information on me, any minor breach becomes a major problem.

~~~
BeetleB
>My mother spent two months without a functional credit or debit card because
her identity was stolen and it took a marathon of paperwork and disputes.

She was lucky. I know someone for whom the process took over a year. Because
of that he had to wait before he could buy a house - his mortgage wouldn't be
approved until all the mess was cleared up.

------
_pdp_
I generally agree but would you place your security in the hands of some 3rd-
party providers such as password managers? If you do that then their problems
instantly become your problems.

I am not saying that password managers are without any merit and/or useful.
All I am saying is that although security decisions are often made without
much thought process there are situations where there are some hard
requirements based on a multitude of factors which are not publicly discussed.

It is easy to brush it all off as a 3rd-party observer but in reality nothing
is perfect and considering that a lot of the people on this forum are actual
developers you must be well aware of the countless compromises you had to make
that go against security best-practices... :) common on.

What Troy is discussing are cases of trivial matter of negligence - hardly
breaking the bank and I can assure you that in many circumstances the security
budget required to implement some of the necessary improvements outspend the
annual fraud budget. This is hardly makes an argument if you need to justify
your department running cost.

Yes shaming kind of works, sometimes... but honestly these companies have much
bigger internal problems than reconsidering their whole stance on usefulness
of password managers and the risk levels their are willing to accept.

~~~
n4r9
> would you place your security in the hands of some 3rd-party providers such
> as password managers?

I don't know if I can think of a better solution than an open-source password
manager which encrypts and stores everything locally. Unless you have an
incredible memory.

> but honestly these companies have much bigger internal problems than
> reconsidering their whole stance on usefulness of password managers

I guess Troy is just focusing on what he knows best.

~~~
auslander
> I don't know if I can think of a better solution than an open-source
> password manager

Sure, KeePass(XC)

> I guess Troy is just focusing on what he knows best

No, KeePass(XC), as you said, _stores everything locally_ , no Troy needed.

~~~
n4r9
Not sure if you're agreeing with me or not. Yes, I think KeePass is the best
way and I use it myself with SyncThing to sync between machines. That's still
trusting a third party to some degree: you're trusting that the code doesn't
have many bugs that someone could exploit to bypass the master password. But
it minimises the risk.

The part about Troy was in response to the OP's claim about public shaming.

~~~
auslander
> Not sure if you're agreeing with me or not. Yes, I think KeePass is the best
> way

I do agree about KeePass. Its code survived in the open for that long. About
"Troy is just focusing on what he knows best" \- security is hard, be precise
:)

