Brian.Carnell.Com

This year there were two epic screwups in fact checking in books published by authors on the left and right.

On the left, Naomi Wolf published her book Outrages: Sex, Censorship and the Criminalization of Love which, among other things discussed dozens of executions of homosexual men in Great Britain during the Victorian era. It turned out, however, that notations that Wolf concluded were evidence of an execution having been carried out were actually cases of a judge recommending the pardoning of a death sentence.

On the right, Doug Wead’s Inside Trump’s White House caused a stir by claiming that the Obama White House subjected intelligence officials to “nonstop PC [political correctness] meetings.” It turned out, sadly for Wead, that “PC” in this context refers not to “political correctness” but rather to meetings of the National Security Council Principals Committee. The officials that Wead interviewed were essentially complaining that under the Obama administration they had to vet their decisions with this committee, whereas the Trump administration let them more freely make decisions lower down the chain of command.

Everyone’s worried about deep fakes and false statements spread through social media, but what does that matter if authors and publishers can’t even be bothered to make certain they are accurately understanding and explaining key parts of their books?

In my opinion the issue isn’t so much deep fakes and social media–lies widely dispersed by the media have been with us since the birth of the newspaper–but the sort of credulity and confirmation bias that people like Wead and Wolf fall victim to (and those who support them…Wolf, for example, has repeated nonsensical claim after nonsensical claim her entire career and yet has no problem finding a publisher, an audience, and an alarming degree of respectability in some circles).

Most of the time Graham Cluley gives good advice regarding computer security (his Smashing Security podcast is both entertaining and informative), but I think he is wrong about workers who simply iterate their passwords when asked to change them on an arbitrary schedule.

Cluley writes,

So it’s important to ensure that all your passwords are unique, as well as being impossible to guess and hard to crack.

But that doesn’t mean it’s good enough just to make a minor change to your passwords.

A survey of 200 people conducted by security outfit HYPR has some alarming findings.

For instance, not only did 72% of users admit that they reused the same passwords in their personal life, but also 49% admitted that when forced to update their passwords in the workplace they reused the same one with a minor change.

Furthermore, many users were clearly relying upon their puny human memory to remember passwords (42% in the office, 35% in their personal lives) rather than something more reliable. This, no doubt, feeds users’ tendency to choose weak, easy-to-crack passwords as well as reusing old passwords or making minor changes to existing ones.

There are a number of things wrong with this analysis.

First, while it is almost always better to rely on password managers rather than memory to keep track of passwords, there are some situations where this is not feasible.

For example, the company I work for assigns me a single sign on username and password that I use not only to log in to company resources, but that I also have to use to unlock my company-provisioned laptop.

I need to be able to have a password that I can memorize in that case. I would argue that pulling out, say, a mobile phone, accessing my password manager, and then using that to type my password into my laptop is far less secure than memorizing it. I need to enter this password routinely throughout the day at meetings and in public places.

Second, as long as the memorized password is strong, there is little to no security implication for simply iterating the password when required to do so on an arbitrary schedule.

As Cluley himself notes later in the article, “I don’t believe it’s a good idea to force users to change their passwords unless there’s a cause for concern.”

So let’s say I have a secure passphrase along the lines of XKCD’s famous “correcthorsebatterystaple.” I have that memorized, and I only use it for my corporate SSO account. As Cluley points out, there’s no good reason to ask me to change that password every 3 months.

But, alas, that is what is going to happen. As long as I know this is just a routine password change request, there is no good reason to believe that “correcthorsebatterystapleone” is any less secure than “correcthorsebatterystaple.”

I could see someone saying, “Yes, that may be true, but if users get into the habit of simply iterating their passwords, they will also do that then when we need them to change passwords because of a potential breach or other issue.”

And this would, in fact, be very bad. But that’s a problem created entirely by this practice of enforcing arbitrary password change schedules. If your security team is the proverbial boy who cried “change your password” over and over where there wasn’t a genuine threat, don’t be surprised when they don’t respond appropriately to the real thing.