Security: Perception isn't Reality
Published 2019-8-1There's a lot of FUD around security practices.
Don't Rotate your password every 30 days
There are a lot of old practices that obviously do more harm that good, like the terrible advice to "rotate your password every 30 days", which only in certain isolated cases increases security by a very small margin, individually, but on the whole decreases security significantly due to the fatigue it creates and the way people behave to circumvent such policies for convenience.
Don't Encrypt ALL the Things!
There are also a lot of things that are used in contexts that don't make sense - like performing a "secure storage" and "secure delete" on an emphemeral virtual machine with a virtualized sparse-write disk, backed by an SSD which has a microcontroller that performs wear-leveling random writes, for a credential that's inaccessible without first having a more priviledged credential that would already grant access to the whatever in the first place...
In those cases the extra "precaution" is not harmful per se, but generally speaking simpler is better and the more complicated something is, the less secure it is, because there are more points of failure.
So even if there's a theoretical mathematic proof that, for example, rotating your passwords every 30 days results in more entropy, the reality is well...
However, in a community where literally 80%+ of the people are novices (software engineering being the fastest growing profession and all that), sometimes it's easier to just appease people's perceptions when the result isn't particularly damaging.
Cars are dangerous, but people are more afraid of flying.
Therefore 90% of the concern needs to be spent on car dangers, but 90% of what will appeal to people has to do with planes.
As with all things, people want to do what sounds cool, more than what has an effect and, to some degree, in order to help those people you have to frame what's actually important in terms of what sounds cool so that the desired result can be acheived.
If you don't have to make it complicated, don't!
"Security in layers" and all that, but it should be about protecting the existing layers, not arbitrarily adding more layers.
Hence my position is that sufficient is sufficient, in all regards.
Any measure beyond the minimal requirement is just adding to the noise, a harmful misdirection of attention (and though you may find my minimalism alarming, it's far more potent than it sounds - the "minimums" are, by definition, the lowest order of absurd excessiveness).