Hacker Newsnew | past | comments | ask | show | jobs | submitlogin
Ask HN: What are some counter-productive security practices?
7 points by ern on Oct 17, 2022 | hide | past | favorite | 6 comments
I thought I damaged my phone recently, and tried to turn off 2FA on my password manager to get into the vault on my laptop. It didn’t let me, I think because my former employer required admins to approve it. So I couldn’t get into my password manager. I managed to fix the phone but the codes didn’t work now.

I spent the night copying my passwords into Gmail from my phone app (bad for security).

A support request got 2FA disabled and I got into my vault, but I won’t be turning it on again (bad for security). I’ll also be exporting my passwords.

An ostensibly good idea (make company admins approve turning off 2FA) has resulted in less security. I can imagine employees having a single bad experience and then swearing off password managers.

What are other examples of “smart” ideas that actually reduce security?



Multi-factor authentication which resides on the same device, eg. the mobile banking app authenticating with an SMS to the same phone it is running on.

Overly complex password policies which lead to people writing passwords down in unsafe places.

Password expiration.

RBAC with unsensible defaults which leads to everyone having admin access.

Not running security drills: when people always follow the happy path they never practice the procedures for eg. getting back access after losing their phone.


Requiring long,"high entropy" passwords to be typed blind. Dots for password characters might have had a reason for existing when people used a large, wide viewing angle monitor. On a small LCD screen like a smartphone, the dots don't make a difference except to hide at least 8 characters with a number, upper and lower cases, and at least 1 special charter not including "' or > from the user as they type on a smartphone keyboard where a fingertip covers 2-3 keys.

What a farcical time waster.


At my last job we had the following.

1.Active directory password expires every 60 days

2.Extremely crazy requirements around the AD password

3.Only place you can change password is using the Windows login screen

4.No easy place to lookup the password requirements because the IT Intranet site was a completely mess and Windows login only says "Password doesn't meet requirements"

5.Bitlocker password required on laptop

6.2FA via a PKI card

7.Requirements for Bitlocker, PKI, and AD password were all different.

8.Extremely convoluted process to reset your password, usually resulting in a call to the IT help line

This is the only job in my life where I ended up writing down my passwords on paper because my passwords were always some crazy nonsense I couldn't remember. I know I wasn't the only one as I saw people with post-its on there laptop with their passwords.

This was a large software company. The whole process was just stupid. If you have a terrible process people will have no choice but to find a way to work around it.


Companies requiring their employees to change passwords every 3 months.


Punishing end users with security training when they successfully spot and report the company's phishing campaign e-mail.


Putting autocomplete=off on login forms, or otherwise attempting to break password autofill.

Breaking all outgoing TLS.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: