[Cryptography] best practices considered bad term
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Sun Feb 1 09:54:15 EST 2015
Jerry Leichter <leichter at lrw.com> writes:
>A *good* description of "best practices" would actually help things.
You don't just need a description, you need a rationale. Taking the example
in my previous message of agricultural use of fungicide, "Don't use
myclobutanil more than three times in one growing season or you'll produce
resistant strains". That's advice, rationale, and consequences of not
following the advice in a single statement.
Now contrast this with security advice like "Passwords are like underwear, you
should change them often". Yeah, cute analogy, but so what? I could invent a
new saying, "Passwords are like a spouse, pick a good one and stick with it",
and now you've got exactly the opposite advice. I think the reason why so
much security "best practice" comes without any explanation or rationale is
because there isn't any available, it's just "we've always done it that way"
or "this is my pet idea, everyone else should believe in it too".
Peter.
More information about the cryptography
mailing list