hayden aiken 🇺🇲
SwiftOnSecurityOne of the biggest security expertise redpills is this is unironically a good idea and the time spent making fun of it was ill-advised for most users whose physical security threat is not a factor in comparison.
Overcoming the incentive to dunk on “users” behavior is an important element in maturing your security understanding. You have a set of levers to pull. Human nature is not one of them. Deal with that or be a righteous failure.
Edginess and denigration is not a measure of effectiveness when your subjects’ success is the criteria. I fear some see Security as a way to be a veto of correctness – rather than a mediator of implementing a solution. The former easy, the latter a lifetime of work.
Guillaume Ross@SwiftOnSecurity I just switched over from the LinkedIn app and a user bashing thread.
Turns out it’s true, most security breaches are caused by human error, it’s just maybe not the human that clicked on the link who made the mistake.
Kofi Loves Efia 
Enterprises are so complex no single human can from the entirety of their architecture, even when they're single office - it's hard for small shops to have the level of process to keep them safe, and then the extra complexity from big ones makes it worse not better
Konstantin Weddige@g @SwiftOnSecurity I might want to borrow that second paragraph. It hits the nail on the head.
NosirrahSec 🏴☠️ guillotine enthusiast@SwiftOnSecurity Been on the, "written in a book is better for 90% of use-cases" train for a while now.
B'ad Samurai 🐐Me finishing school: WTF am I gonna do with hundreds of pages of mechanical engineering homework.. They became my passwords for years. Even gave a few binders away--just dog-ear a page or put a sticky on the current passwords/answers. Greek letters were simply spelled out to increase length.
The Doctor
gunstick
xinit ☕@xinit @SwiftOnSecurity Exactly!
I tell my clients' users that reusing your password from another service is nearly the worst possible thing you can do.
A unique, weak, password is almost preferable than a reused password IMO. (if other mitigating factors are in place, rate limiting, mfa, etc.)
Keen@SwiftOnSecurity I repent. I'll never make fun of the Rolodex of password my mom keeps next their safe again. Well.... Maybe I'll make sure the safe code isn't in there first.
nobletrout@SwiftOnSecurity so. Much. Work. Can I go back dunking? It was so easy.
@SwiftOnSecurity You're right.
Hugo Tunius 
@SwiftOnSecurity This is the universal truth in Security, UX design, process design etc. You have to contend with humans and they will make mistakes, if you fail to account for that the burden lies entirely at your feet.
Evan Prodromou@SwiftOnSecurity "You have a set of levers to pull. Human nature is not one of them." Beautiful.
sadmac356@SwiftOnSecurity and frankly, dunking on users just makes me, as someone who knows I'll inevitably have to contact tech support for one reason or another, NOT WANT TO ACTUALLY CONTACT TECH SUPPORT AT ALL. It's for the same reason I struggle to ask for help in general, actually: I don't wanna feel like I'm being judged for not knowing how to do/needing help doing something
Elliott@SwiftOnSecurity organizations love to blame disasters like plane crashes or nuclear meltdowns on "operator error" when really the problem is that the system was designed such that operator error is inevitable. It's a convenient way to avoid accountability, and not have to make difficult changes to complex systems.
@SwiftOnSecurity There's a joke in the aviation industry that the aircraft cockpit of the future will contain a pilot and a dog. The plane will fly itself, so the role of the pilot is to make passengers feel confident because a human is "in charge." The dog is there to bite the pilot if he tries to actually do anything. Left unsaid is the other role of the pilot, which would be to take the blame if anything goes wrong.
Geoff Vass@SwiftOnSecurity indeed; the hard-copy password book is a good solution in some cases. I also like the “levers” metaphor for cyber-security
Michael Olsen@SwiftOnSecurity "You have a set of levers to pull. Human nature is not one of them. Deal with that or be a righteous failure."
Goblin@SwiftOnSecurity People who learned dunking on users for mistakes, fall back on that pattern far too easy as well.
The colleague of a friend was in a support call with a software provider, who became so toxic, she threatened to call his boss and took a smoking break to calm down. After she returned, it turned out, that her problem stemmed from him having given her too few access rights.
Of course, to correct this, he then gave her admin rights, which was far more, than her role should have....
Bai Shen@SwiftOnSecurity It's not even just security. I've seen so many problems created by people assuming that everyone will effectively coordinate and communicate. Or do what they should instead of the minimum required.
Ben Royce 🇺🇦"You have a set of levers to pull. Human nature is not one of them. Deal with that or be a righteous failure."
widely applicable observation, in many domains
Isaac Lyman“You have a set of levers to pull. Human nature is not one of them.” This is the missing link in approximately everyone’s frustrations with humanity. Voter behavior, COVID mitigation, road and freeway safety, consumer trends, etc. If your plan for a better world is for most humans to fundamentally change, you’ll be disappointed.
There are ways to make a better world, but they’re all systemic.
Andrew@SwiftOnSecurity This is true of so many things. "Users should simply read all the instructions", "parents should simply find the time to cook healthy meals", "citizens should simply vote in their best interests", etc. It's never going to happen. If your job involves other people at any stage then you need to take them as they come, you can't just make better ones.
With the possible exception of therapists.
Linus@SwiftOnSecurity everyone dunks on writing down your password until the smart password manager system they use suffers a data breach and all their stuff gets leaked 😭
kb@linus @SwiftOnSecurity also the storage and protection of like, not accidently destroying it or losing it is far more intuitive
@donkeyblam @SwiftOnSecurity exactly, less of a need to handle complicated encryption and cloud backups (though if you'd like, encryption and cyphers are totally still an option for anything written); more so straight forward stuff like keeping it in a fireproof safe and keeping additional copies in some other safe place. Resonates far better with the hardware survival chip (gloop? X3) we have in our heads.
(And like idk personally, something about the action of writing stuff down, be it notes or passwords makes remembering it far easier)
(And like idk personally, something about the action of writing stuff down, be it notes or passwords makes remembering it far easier)
@linus @SwiftOnSecurity well, not just hardware survival chip but also experience - someone who is 20 has 20 years of experience of what destroys and doesn't destroy things 24/7, but, most people have far less time to do so with computers
LisPi@donkeyblam @SwiftOnSecurity @linus That's debatable.
Being sure would require keeping the book in one's backpack to grab in case of fire. That is immediately more dangerous if one also gets mugged than an encrypted backup drive.
Rather, the setup has to be designed so that loss of all access is both recoverable and an expected path.
Being sure would require keeping the book in one's backpack to grab in case of fire. That is immediately more dangerous if one also gets mugged than an encrypted backup drive.
Rather, the setup has to be designed so that loss of all access is both recoverable and an expected path.
vurpo 🏳️⚧️@linus I don't think any password manager has ever leaked people's passwords. Password managers are still a very good thing, it's just that a paper notebook also goes 90% of the way there.
@linus @SwiftOnSecurity I've never understood why people tolerate those SaaSS ones.
Well, that's not quite accurate or true, I suppose. Most of them don't understand the implications of it being SaaSS instead of a local airgapped VM. That's why.
Well, that's not quite accurate or true, I suppose. Most of them don't understand the implications of it being SaaSS instead of a local airgapped VM. That's why.
echarlie@SwiftOnSecurity my best argument for this---besides it being low-tech and physical security considerations being moot: when you die, someone can get into your accounts this way. Which for older and less tech-savvy people is actually really helpful.
Hein Ragas@notecharlie @SwiftOnSecurity That reminds me, I really need to write down how someone could access all of my stuff if anything ever happens to me. Physical access to my machine and phone won't be a problem for them after I'm gone anyway.
A random selectionUgh also true and such a “low-tech” great solution.
Fox Trenton 🎱For daily use I have KeePassXC and KeePassDX which are not stored with some cloud service, but on computer/tablet, thumbdrive backups, etc.
That said, however, I have two small Rite in the Rain No. 77 waterproof notebooks, that contain the most important ones for just that purpose.
My spouse knows about it and what to do with it, even if not tech savvy, and my close ones (especially the ones that do not pale at being faced with a Veracrypt log in screen) do, as well.
the hatter@notecharlie @SwiftOnSecurity Those people are the ones most likely to have untrustworthy carers in their lives though, and least likely to notice when the underpaid professional carer or selfish relative/neighbour has spotted the book. They're good for actually unimportant passwords, but then someone's amazoning themselves expensive gifts and no one notices for months, even if your actual bank login details aren't written down.
Codhisattva@SwiftOnSecurity I write all my passwords encoded using simple to remember schemes.
Briala@SwiftOnSecurity I've been using a simple app on my phone for years - through at least two phone upgrades and I keep my phones for a long time. It has no integration with the browser or cloud service; it is just a simple encrypted database.
_Maybe they could use an obfuscation wrapper layer, by changing the product description to "NOT A PASSWORD BOOK"
If it's not a Post-It note on the monitor / bottom of the keyboard, is it even a password book?
Marsh Ray@SwiftOnSecurity Years ago I went to the office store and bought a few boxes of blank business cards.
They’re great for flash cards, and for this purpose, you can carry them in a wallet, etc.
They’re particularly a hit at business events when you inevitably overhear “oh no, it seems I don’t have a card on me!”
Selena Larson@SwiftOnSecurity it has always really bothered me that security people would look down their noses at this.
Altytwo Altryness, BS 
@selenalarson @SwiftOnSecurity the benefits to next of kin and executors alone is hard to overstate.
Voline@SwiftOnSecurity
Copy & Paste is broken on mine.
Copy & Paste is broken on mine.
🐟🐠🐡🐙🦑ptoothfish🦑🐙🐡🐠🐟@SwiftOnSecurity our master password repo for a ~2000 user department circa 1994-2006 was “Willy’s 7B8 Hardcover Notebook and a Pencil” and it saved many people’s asses many times
Texty the Bard@SwiftOnSecurity I have a doc stored locally that has all my passwords--but only referenced with a code word that will help me (and the spouse, should I be incapacitated) remember. Like if the password was a variation on "horseshoe," I'd reference it with "Artax." (Not actual examples, of course.) Someone would have to directly target my home server and its monster firewall AND know which drive and doc to look for and wtf I was thinking.
Certainly seems safer than trusting LastPass or w'ev.
Ela@SwiftOnSecurity Not to be underestimated: it has a threat model most people readily understand.
Henryk Plötz@andreasdotorg @SwiftOnSecurity Schneier used to drive this point home by pulling out his wallet and showing a dollar note. People understand the concept of "pieces of paper that have value" and can handle them accordingly. https://www.schneier.com/news/archives/2010/11/bruce_schneier_write.html
This is so well said!
Mr Salteena is not quite a gentleman@SwiftOnSecurity my late dad had a little notebook and I tell you what when I got power of attorney because of his dementia it was a bloody good thing.
Sebastian Lauwers@SwiftOnSecurity My recommendation for years for regular people is to use a password manager and to write down the credentials to said password manager and just store it with their taxes.
A thief wants cameras, cash and jewellery. They don’t sit and read through documents.
The PM (slightly) improves on phishing, enables good password hygiene. The writing down reassures and enables a strong password to be used for the vault.
Werner@SwiftOnSecurity I have done this for my parents who are getting old. A large notebook with categories where every site or service has a unique, human readable password. Someone breaking into their rural house and finding that exact book pretty small. In addition they're really good at spotting suspicious emails and such. I feel this is the perfect solution for them. And all important sites like banking has 2FA with a disconnected token.
Kev Quirk@SwiftOnSecurity I actually wrote about this on my blog 6 years ago. I don't think they're a bad idea at all.
kevin ⁂ (he/him)@SwiftOnSecurity a person I know has one, and I always smiled at this person, but to be honest it is a lot better than having the same passwords over and over again.
(They even have their own made-up language to encode passwords in which is kinda cool tbh!)
Androcat@SwiftOnSecurity It is a lot more difficult to get remote access to someone's appartment, for sure.
I would probably suggest using a cypher, though, because someone might coincidentally break in, and then use the info as a crime-of-opportunity.
vksxypants@SwiftOnSecurity wow, that's very cool. I would unironically buy this for my parents as it would undoubtedly help them stop using the same password for everything.
Gomijacogeo@SwiftOnSecurity And there are always simple schemes you can use to gently mangle the written passwords so they can't be used directly. E.g. delete 2nd character, each digit is -1 of actual, move first uppercase letter to end, etc.
Aedius Filmania ⚙️🎮🖊️My parents have a password book, BUT the password inside are not exactly the good one, you have to apply a little trick on each of them to make them work.