Insecurity by Over-security

I’ve worked for many clients with many ideas of what makes a secure environment. Some use simple FTP servers, and some don’t trust anyone but their own employees. Others use multiple, nested levels of remote desktop connections, RSA tokens, and specialized software. But is there such a thing as too much security — so much that it actually becomes insecure?

Secure Password Requirements

To make a strong password, experts tell us it must include upper- and lower-case letters, numbers, and special characters. Remembering it will likely be difficult. Entering it will likely result in typos. If this is what you believe, you’re wrong, as illustrated by this popular XKCD comic.

XKCD comic strip

Because many systems require these complex passwords, you need to write them down. If you’re a good developer, you use a secure password database. If not, maybe you just attach sticky notes to a monitor. The problem is that when remembering a password is hard, people often store it insecurely. All that complexity is worthless if someone accidentally sweeps that sticky note under the door and into someone else’s hands.

Many people use online password storage services, like LastPass. These services are convenient, but also problematic. It is increasingly common for online companies to announce that someone hacked their server and leaked passwords.

Avoid this by using long, memorable passwords. It’s much more secure in the long run.

Frequent Password Resets

Password complexity is bad enough, but businesses also require passwords to be reset far too often. When systems require frequent password resets, most users create easily guessable variants of a password. For example, MarchPass123$ is followed up next month by AprilPass123$. If someone finds those old passwords, then figuring out the current password requires little effort. Passwords shouldn’t last forever, but requiring users to change them frequently only results in more security holes.

File Transfer Restrictions

Another common security feature I’ve noticed is the disabling of copy/paste or file shares while remotely connected to a machine. Rarely do I work on a project that requires remote access where I don’t need to transfer some files or copy and paste a large chunk of code.

When these features are disabled, users find work-arounds — usually insecure work-arounds. Typing by hand is tedious and usually impractical. More likely, you’ll upload the files to an online service or save them to a USB stick. I’ve even seen cases where companies block access to sites like Google Drive and Dropbox, which forces users to find less reputable online services. As more security is added, systems often become less secure.

Two-factor Authentication

Security experts eventually realized that complicated, oft-updated passwords were not working, so their solution: make things even harder for users. That’s right, in addition to the password nightmare, many systems now require users to enter a string of digits from a key fob or piece of software that changes every minute or so.

How does this lead to insecurity? Well, I’ve actually seen people write their username and password onto the fob itself. In cases of RSA software apps, they keep a plain text file with all the information needed to access the system right on the desktop.

The point I want to make is that when you make security harder for the user, the user will make the system less secure. The answer isn’t to add more complexity, it’s to change the security. If the only barrier to entry is a simple fingerprint scan or an easily remembered password, then users have no need to make notes or to circumvent the system.

Keep security practices simple to keep systems secure.