[Cryptography] best practices considered bad term

Kent Borg kentborg at borg.org
Sat Jan 31 20:40:11 EST 2015 

On 01/31/2015 07:04 PM, Jerry Leichter wrote:
> SAP took the point of view that they wouldn't customize their software 
> - customers had to adapt to their *right* way of doing things. They're 
> answer to the complaint from a customer who organized things 
> differently was "Oh ... you mean you don't follow industry best 
> practices?"

I love that history. Thanks.

> A *good* description of "best practices" would actually help things. 
> It would certainly include such advice as "Keep systems patched", 
> "Don't continue to use Windows XP", "Don't reuse passwords at multiple 
> sites" (yes, you can make exceptions for very-low-value sites; I'm 
> talking about general advice), "Don't leave default passwords on any 
> devices", "Have backups at an offsite location to which your systems 
> have effectively append-only access", "Have a procedure in place to 
> quickly revoke all access to your systems by people who leave their 
> jobs, for whatever reason", and many more.

Yes, but that is a large list that requires a lot of thought to expand 
into practice.

And don't pretend everything is so harmonious as all that. There are 
still disagreements about whether we should frequently change passwords 
or not; whether to write down passwords or not; whether passwords are 
any good or not; whether firewalls are good (they cut off lots of bad 
packets) or not (they make people think insecure networks are safe).

On NPR the other day I heard a host blah-blah the standard list of 
everyone-knows security advice, but I heartily disagreed: change 
passwords she said but no mention of not reusing passwords. And we 
wonder how Central Command can have its Twitter and You Tube accounts 
both hacked on the very *same* day!?

The little thing of not reusing passwords is really a gigantic 
thing--extremely vanishingly small numbers of people actually do that.

This stuff is still full of controversy. (But thanks for the SAP story.)


-kb, the Kent who asserts firewalls have been terrible for 
security--that they should only be installed secretly, as a safety net, 
because otherwise people let their computers and data run around naked, 
thinking they are safely behind The Firewall.

More information about the cryptography mailing list