If you're anything like me, at every family and/or friends' get-together you'll inevitably get roped into providing free IT support for everyone's shiny new devices. This made me think about how we talk to people we know about different online threats, and what to do about them.
For instance, the NCSC and CyberAware advise everyone to turn on two-step verification (sometimes called two-factor authentication) to protect their important accounts. Two-factor authentication (or 2FA) is increasingly available, and it generally makes services far more secure than only using passwords to authenticate. This is why we say ‘Turn on 2FA’; it's straightforward, clear guidance that most people can follow.
However, some people worry about advising others to use 2FA. They point to the ways in which it can be compromised (especially the SMS-based version), and fear that it might induce a false sense of security. They would rather steer others towards less vulnerable (but also potentially more costly and harder to use) security and privacy solutions, such as PGP or universal second factor tokens.
The same goes for password managers. Password managers have been compromised in the past, and they will be again. So some people think it's wrong to advise others to put all their valuable password eggs in the same basket. Others are more positive about password managers (which is good), but they may not realise that many people have understandable reasons for not wanting to use them (mainly finding them too hard to use). So they are then reluctant to give advice on how to create and maintain the kind of sensible, usable passwords that people need, if they aren't going to use a password manager.
Then there’s password quality. We get questions about our ‘three random words’ blog, asking why the NCSC suggest using passwords that aren’t as cryptographically secure as those that are generated by other methods.
And then, there's the use of biometrics to authenticate users to their phones and other personal devices - primarily, fingerprint and Face ID. These are relatively young technologies, with some well-documented vulnerabilities. Is it really right to encourage people to use them?
Perfect is the enemy of better
We agree that 2FA is not perfect. Neither are password managers.
Yes, there are more cryptographically secure ways of generating passwords than 'three random words'.
And absolutely, fingerprint and face sensors can be fooled.
However, the NCSC and CyberAware will continue to advise people to use 2FA, password managers, 'three random words' and biometric authentication in their personal lives, because:
- they add enough extra protection to make the most common attacks impractical or uneconomic
- 'stronger' security solutions involve spending money or using technical skills that many people don't have
- most people can understand and follow this advice and are therefore far more likely to act on it
- imperfect security is better than no security
Bad advice delivers perverse outcomes
Traditional password advice failed because it told us to do things that most of us simply can't do (i.e. memorise lots of long, complex passwords). As a result, many people - including experts such as myself - employ coping strategies in order to manage all our passwords. One of these strategies is using the same password across multiple accounts. This is because people know that passwords should be long-and-complex, but since long-and-complex passwords are hard to remember, they use the same one for different accounts.
What you may not realise is that your long-and-complex password may already have been stolen/leaked. And if you've used it across multiple accounts, then a 'bad guy' can cause serious damage. Perhaps you've introduced minor variations to your core password, maybe adding a few characters relating to the name of a website? Unfortunately, bad guys are fully aware of these sorts of techniques, so they don't actually help much whilst making legitimate use more difficult.
The NCSC believe that the time and effort spent trying to follow unworkable password advice would be better used enabling 2FA on important accounts, and/or using a password manager to store long, complex, unique passwords.
Cyber security advice must be useful, or it won't be used
It's really important for cyber security advice to be pragmatic, and for us practitioners to remember who we're talking to. Many people find standard security advice unworkable, or unaffordable, or it just doesn't make sense to them.
For instance, the recommendation to use unique passwords everywhere may - technically - be the best advice. But to people who are currently using the same password everywhere, that's a massive change that will take time to achieve. And for accounts that don't protect any important information to start with, it's overkill. That's why CyberAware now advises people to focus on their most important accounts first - use a strong, separate password for your email, and build from there.
As the NCSC's Technical Director says in his report on Active Cyber Defence: One Year On, most ordinary people aren't and never will be the main targets of nation state cyber attacks and Advanced Persistent Threats. They're far more likely to get done over by lower-level attacks that rely on poor practice (such as re-using passwords across valuable accounts). These are the attacks that we can help people to avoid by being more pragmatic in what solutions we recommend, rather than insisting everyone aims at solutions that are so complicated or expensive that most people won't ever use them.
Doing better with what's in front of us
We can and will keep improving the security we offer people. But in the meantime, we need to start doing better with what’s in front of us: implementing tools that people know how to use, which are available right now, and which help everyone to be more secure. Security is a team game and we will only win if the whole team plays together, with everyone using their own expertise to help everyone else where they can.
- 2FA has problems, but by and large it’s better than not using 2FA.
- Password managers have vulnerabilities, but they make it much easier to avoid using the same password everywhere.
- Passwords generated from three-random-words help users to create unique passwords that are strong enough for many purposes, and can be remembered much more easily - and that's good for those who find password managers too tricky.
- Using a strong, separate password for your email helps protect the information that is most important to you.
- Using biometrics on your phone is better than not securing your phone at all.
It's incremental steps like these that will help more people stay safer online. Let’s stop trying to make security perfect, and start making it better - for everyone.