goes wrong is deeply entrenched in society. […] More and more often the blame is attributed to “human error.” The person involved can be ﬁned, punished, or ﬁred. But […], human error usually is a result of poor design: it should be called system error. Humans err continually; it is an intrinsic part of our nature. System design should take this into account. Pinning the blame on the person may be a comfortable way to proceed, but why was the system ever designed so that a single act by a single person could cause calamity? — Donald Norman, The Design of Everyday Things
of different character types or prohibiting consecutively repeated characters) for memorized secrets. Veriﬁers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). — NIST SP 800-63B
to be from her admin, asking her to review some expenses on Dropbox. She followed the link, and entered her Dropbox account. Today, she realized when talking to her admin that he hadn't sent that email.
users But I never found a way to get people onto 1password in a single training session. The setup process has a lot of moving parts, involving the desktop app, browser plugin, online service, mobile app, and app store. It requires repeatedly typing a long master passphrase. And then, once it is all set up, you have to train people on the unrelated skill of how to use the thing, starting with their most sensitive accounts. And then you leave. — Maciej Cegłowski, What I Learned Trying to Secure Congressional Campaigns
high, when used correctly ! Password rotation not effective " Hashed passwords moderate, when used correctly — Password managers high, if actually used ! 2FA (especially U2F) very effective ! Single-sign on (SSO) very effective # ✨ %
(or, the Dangers Of The Five Whys) • A fun source for scenarios: @badthingsdaily • Data on real-world attacks: • Data Breach Information Report • BusinessInsider ($$$) • Cost of Data Breach Report • On mitigation: The “Five Factors” Used To Secure Systems