I'm thinking of creating an @owasp Top Ten Dumb Things Security Makes Users Do. Here are a few: 1. Making users rotate passwords without evidence of compromise. @TechFTC actually does an awesome job of explaining why it's dumb. ftc.gov/news-events/blogs/te…
4
3
3
2. Preventing users from copying/pasting passwords. Besides being an accessibility issue, it doesn't seem to actually move the needle on security. @NCSC provides more background (and a link to @troyhunt's take) ncsc.gov.uk/blog-post/let-th…
2
1
3. "Secure" email products that require users to open HTML email attachments. The very same attack vector as some phishing. It has the additional downside of training users that opening HTML attachments is a normal behavior.
1
1
This next one is not really something the Security team pushes onto users in so much as it is something the product team wants and Security often loses the fight to prevent it. So calling it out, because it's super dumb and we should stop allowing it.
1
4. Websites that ask/require users for credentials to other websites, such as to import financial information, to allow a potential employer to dig through your social media account, and similar. Do you really trust that website with your banking password?

Mar 31, 2021 · 3:37 AM UTC

1
1
What am I missing? What other dumb security practices do we push onto users?
3