I'm thinking of creating an @owasp Top Ten Dumb Things Security Makes Users Do. Here are a few: 1. Making users rotate passwords without evidence of compromise. @TechFTC actually does an awesome job of explaining why it's dumb. ftc.gov/news-events/blogs/te…
4
3
3
2. Preventing users from copying/pasting passwords. Besides being an accessibility issue, it doesn't seem to actually move the needle on security. @NCSC provides more background (and a link to @troyhunt's take) ncsc.gov.uk/blog-post/let-th…
2
1
3. "Secure" email products that require users to open HTML email attachments. The very same attack vector as some phishing. It has the additional downside of training users that opening HTML attachments is a normal behavior.
1
1
This next one is not really something the Security team pushes onto users in so much as it is something the product team wants and Security often loses the fight to prevent it. So calling it out, because it's super dumb and we should stop allowing it.
1
4. Websites that ask/require users for credentials to other websites, such as to import financial information, to allow a potential employer to dig through your social media account, and similar. Do you really trust that website with your banking password?
1
1
What am I missing? What other dumb security practices do we push onto users?

Mar 31, 2021 · 3:37 AM UTC

3
Replying to @bilcorry
"Security" questions and answers. All my "security" answers are "bollocks", even though that is not my favorite movie or my mother's maiden name.
3
Replying to @bilcorry
Not sure this falls into the category of something security forces on users (seems to be more a case of poor implementation to me) - but how about those sites that limit the length of passwords? And want you to use special characters.... but only certain ones.
1
Replying to @bilcorry
Requiring complex 8-character passwords they’ll never remember, rather than promoting memorable longer pass phrases with (much) higher entropy.
1