Michelle MazurekMar 19, 2023

Saving the absolute worst for last on the UMD security training, on passwords/phrases:
* Substitute 3 for E and R for "are"
* Never write down your passphrase, never store it in your browser
* Use a familiar phrase, perhaps a line from your favorite song.

What are we even doing here?

Michelle MazurekMar 19, 2023
Show threadAdam Shostack  
@mmazurek I think you forgot the phrase "wrong answers only" :)
Mar 19, 2023 at 4:07pmWeb
Show threadAdam Shostack  Mar 19, 2023
@mmazurek more seriously, I think these practices are incredibly dangerous on several levels: we waste budget (both cash and time), we waste credibility, and having done both, security staff can't get to useful work.
Show threadMichelle MazurekMar 19, 2023
@adamshostack strong agree. Our CIO is even a CS professor, and I've talked to him about related issues a number of times. Incredibly frustrating.
Show threadNot a Spring OnionMar 19, 2023

@adamshostack @mmazurek
"Use LastPass to store your passwords securly*"

*If it leaks passwords again, at least it is their fault, not yours**.

**Which is more important than the actual problem in a business context. 

Show threadAdam Shostack  Mar 19, 2023
@wakame @mmazurek Wakame, is that an actual quote from 2023 security training? ("Citation needed" :)
Show threadNot a Spring OnionMar 19, 2023
@adamshostack @mmazurek
Sorry, no. It's just as if I could... somehow magically... emulate how those people think