Comment by mjr00

Comment by mjr00 a day ago

82 replies

View on Hacker News

> I disagree with other posts here, it is partially a balance between security and usability.

And economics. Many people here are blaming incompetent security teams and app developers, but a lot of seemingly dumb security policies are due to insurers. If an insurer says "we're going to jack up premiums by 20% unless you force employees to change their password once every 90 days", you can argue till you're blue in the face that it's bad practice, NIST changed its policy to recommend not regularly rotating passwords over a decade ago, etc., and be totally correct... but they're still going to jack up premiums if you don't do it. So you dejectedly sigh, implement a password expiration policy, and listen to grumbling employees who call you incompetent.

It's been a while since I've been through a process like this, but given how infamous log4shell became, it wouldn't surprise me if insurers are now also making it mandatory that common "hacking strings" like /etc/hosts, /etc/passwd, jndi:, and friends must be rejected by servers.

swiftcoder a day ago

Not just economics, audit processes also really encourage adopting large rulesets wholesale.

We're SOC2 + HIPAA compliant, which either means convincing the auditor that our in-house security rules cover 100% of the cases they care about... or we buy an off-the-shelf WAF that has already completed the compliance process, and call it a day. The CTO is going to pick the second option every time.

Reply View 6 replies
  • mjr00 a day ago

    Yeah. SOC2 reminds me that I didn't mention sales as well, another security-as-economics feature. I've seen a lot of enterprise RFPs that mandate certain security protocols, some of which are perfectly sensible and others... not so much. Usually this is less problematic than insurance because the buyer is more flexible, but sometimes they (specifically, the buyer's company's security team, who has no interest besides covering their own ass) refuse to budge.

    If your startup is on the verge of getting a 6 figure MRR deal with a company, but the company's security team mandates you put in a WAF to "protect their data"... guess you're putting in a WAF, like it or not.

    Reply View 4 replies
    • meindnoch a day ago

      >guess you're putting in a WAF, like it or not.

      Install the WAF crap, and then feed every request through rot13(). Everyone is happy!

      Reply View 3 replies
      • throwup238 a day ago

        Up until you need to exercise the insurance policy and the court room "experts" come down on you like a ton of bricks.

        Reply View 0 replies
      • benaubin a day ago

        now you've banned several different arbitrary strings!

        Reply View 1 reply
        • connicpu a day ago

          Good luck debugging why the string "/rgp/cnffjq" causes your request to be rejected :)

          Reply View 0 replies
  • sgarland 4 hours ago

    OS-level monitoring / auditing software also never ceases to amaze me (for how awful it is). Multiple times, at multiple companies, I have seen incidents that were caused because Security installed / enabled something (AWS GuardDuty, Auditbeat, CrowdStrike…) that tanked performance. My current place has the latter two on our ProxySQL EC2 nodes. Auditbeat is consuming two logical cores on its own. I haven’t been able to yet quantify the impact of CrowdStrike, but from a recent perf report, it seemed like it was using eBPF to hook into every TCP connection, which is quite a lot for a DB connection poolers.

    I understand the need for security tooling, but I don’t think companies often consider the huge performance impact these tools add.

    Reply View 0 replies
simonw a day ago

I wish IT teams would say "sorry about the password requirement, it's required by our insurance policy". I'd feel a lot less angry about stupid password expiration rules if they told me that.

Reply View 15 replies
  • cratermoon a day ago

    Sometime in the past few years I saw a new wrinkle: password must be changed every 90 days unless it is above a minimum length (12 or so as best I recall) in which case you only need to change it yearly. Since the industry has realized length trumps dumb "complexity" checks, it's a welcome change to see that encoded into policy.

    Reply View 14 replies
    • manwe150 a day ago

      I think I like this idea that the rotation interval could be made proportional to length, for example doubling the interval with each additional character. Security standards already now acknowledge that forced yearly rotation is a net decrease in security, so this would incentivize users to pick the longest password for which they would tolerate the rotation interval. Is yearly rotation too annoying for you? For merely the effort of going from 12 -> 14 characters, you could make it 4 years instead, or 8 years, 16, and so on.

      Reply View 11 replies
      • connicpu a day ago

        Can confirm when I found out I'd be required to regularly change my password the security of it went down significantly. At my current job when I was a new employee I generated a secure random password and spent a week memorizing it. 6 months later when I found out I was required to change it, I reverted to a variation of the password I used to use for everything years ago with some extra characters at the end that I'll be rotating with each forced change...

        Reply View 9 replies
      • butshouldyou 21 hours ago

        Unfortunately, lots of end users refuse to read the password policy and won't understand why their password reset interval is "random" or shorter than their colleague's.

        Reply View 0 replies
    • chimeracoder a day ago

      > Sometime in the past few years I saw a new wrinkle: password must be changed every 90 days unless it is above a minimum length (12 or so as best I recall) in which case you only need to change it yearly. Since the industry has realized length trumps dumb "complexity" checks, it's a welcome change to see that encoded into policy.

      This is such a bizarre hybrid policy, especially since forced password rotations at fixed intervals are already not recommended for end-user passwords as a security practice.

      Reply View 1 reply
      • vladvasiliu 4 hours ago

        I think the issue is that some people don't actually understand what's going on, so in an attempt at goodwill, they try to "compromise", and "split the difference" if you will. Hell, some people will consider the windows hello pin as a password and force a regular rotation. Combined with policies coming from outside (think insurance and other compliance stuff) which try to cover as much ground as possible, you end up with half-assed implementations like these.

        One discourse I hear is that "people will just use the same password everywhere". To which I'll answer, "but we have mfa". "yeah, but the insurance guys".

        Reply View 0 replies
wvh 8 hours ago

Having worked with PCI-DSS, some rules seem to only exist to appease insurance. When criticising decisions, you are told that passing audits to be able to claim insurance is the whole game, even when you can demonstrate how you can bypass certain rules in reality. High-level security has more to do with politics (my definition) than purely technical ability. I wouldn't go as far as to call it security theatre, there's too much good stuff there that many don't think about without having a handy list, but the game is certainly a lot bigger than just technical skills and hacker vs anti-hacker.

I still have a nervous tick from having a screen lock timeout "smaller than or equal to 30 seconds".

Reply View 0 replies
betaby a day ago

> but a lot of seemingly dumb security policies are due to insurers.

I keep hearing that often on HN, however I've personally never seen seen such demands from insurers. I would greatly appreciate if one share such insurance policy. Insurance policies are not trade secrets and OK to be public. I can google plenty of commercial cars insurance policies for example.

Reply View 23 replies
  • simonw a day ago

    I found an example!

    https://retail.direct.zurich.ch/resources/definition/product...

    Questionnaire Zurich Cyber Insurance

    Question 4.2: "Do you have a technically enforced password policy that ensures use of strong passwords and that passwords are changed at least quarterly?"

    Since this is an insurance questionnaire, presumably your answers to that question affect the rates you get charged?

    (Found that with the help of o4-mini https://chatgpt.com/share/680bc054-77d8-8006-88a1-a6928ab99a...)

    Reply View 18 replies
    • smithkl42 19 hours ago

      We've been asked that question before on security questionnaires, and our answer has always been, "Forcing users to change passwords regularly is widely regarded as a very bad security practice, and we don't engage in bad security practices." We've never had anyone complain.

      Reply View 2 replies
      • austhrow743 9 hours ago

        I've never had a complaint about anything I put in to a form requesting a quote for insurance. I just get the quote back. Did you write that in the comment expecting an insurance salesperson to call you up and argue passwords with you? Call their back office and say "hey this guy says our password question is crap, get our best guys on it!"?

        I just cant imagine any outcome other than it was translated to just a "no" and increased your premium over what it would have otherwise been.

        Reply View 1 reply
        • gusgus01 37 minutes ago

          I've also filled out insurance quote forms several times to see the interplay of the questions and price. Quite often many of the questions do not change the quote. So the existence of the question in a form does not imply a change in price, or any true guess at the magnitude of the change at all.

          Reply View 0 replies
    • betaby a day ago

      Password policy is something rather common, and 'standard' firewalls. Question is in the context of of WAF as in the article. WAF requirement is something more invasive to say the least.

      Reply View 0 replies
    • kiitos a day ago

      Directly following is question 4.3: "Are users always prevented from installing programs on end-user devices?"

      Totally bonkers stuff.

      Reply View 13 replies
      • 9x39 a day ago

        A trend for corporate workstations is moving closer to a phone with a locked-down app store, with all programs from a company software repo.

        Eliminating everything but a business's industry specific apps, MS Office, and some well-known productivity tools slashes support calls (no customization!) and frustrates cyberattacks to some degree when you can't deploy custom executables.

        Reply View 6 replies
      • pjmlp a day ago

        This is standard practice for years in big corporations.

        You install software via ticket requests to IT, and devs might have admin rights, but not root, and only temporary.

        This is nothing new though, back in the timesharing days, where we would connect to the development server, we only got as much rights as required for the ongoing development workflows.

        Hence why PCs felt so liberating.

        Reply View 5 replies
  • bigbuppo 21 hours ago

    The fun part is that they don't demand anything, they just send you a worksheet that you fill out and presumably it impacts your rates. You just assume that whatever they ask about is what they want. Some of what they suggest is reasonable, like having backups that aren't stored on storage directly coupled to your main environment.

    The worst part about cyber insurance, though, is that as soon as you declare an incident, your computers and cloud accounts now belong to the insurance company until they have their chosen people rummage through everything. Your restoration process is now going to run on their schedule. In other words, the reason the recovery from a crypto-locker attack takes three weeks is because of cyber insurance. And to be fair, they should only have to pay out once for a single incident, so their designated experts get to be careful and meticulous.

    Reply View 0 replies
  • tmpz22 a day ago

    This is such an important comment.

    Fear of a prospective expectation, compliance, requirement, etc., even when that requirement does not actually exist is so prevalent in the personality types of software developers.

    Reply View 1 reply
    • 9x39 a day ago

      It cuts both ways. I've struggled to get things like backups or multifactor authentication approved without being able to point to some force like regulation or insurance providers that can dislodge executives' inertia.

      My mental model at this point says that if there's a cost to some important improvement, the politics and incentives today are such that a typical executive will only do the bare minimum required by law or some equivalent force, and not a dollar more.

      Reply View 0 replies
  • manwe150 a day ago

    You can buy insurance for just about anything, not just cars. Companies frequently buy insurance against various low-probability incidents such as loss of use, fraud, lawsuit, etc.

    Reply View 0 replies
lucianbr a day ago

There should be some limits and some consequences to the insurer as well. I don't think the insurer is god and should be able to request anything no matter if it makes sense or not and have people and companies comply.

If anything, I think this attitude is part of the problem. Management, IT security, insurers, governing bodies, they all just impose rules with (sometimes, too often) zero regard for consequences to anyone else. If no pushback mechanism exists against insurer requirements, something is broken.

Reply View 6 replies
  • mjr00 a day ago

    > There should be some limits and some consequences to the insurer as well. I don't think the insurer is god and should be able to request anything no matter if it makes sense or not and have people and companies comply.

    If the insurer requested something unreasonable, you'd go to a different insurer. It's a competitive market after all. But most of the complaints about incompetent security practices boil down to minor nuisances in the grand scheme of things. Forced password changes once every 90 days is dumb and slightly annoying but doesn't significantly impact business operations. Having to run some "enterprise security tool" and go through every false positive result (of which there will be many) and provide an explanation as to why it's a false positive is incredibly annoying and doesn't help your security, but it's also something you could have a $50k/year security intern do. Turning on a WAF that happens to reject the 0.0001% of Substack articles which talk about /etc/hosts isn't going to materially change Substack's revenue this year.

    Reply View 3 replies
    • vladvasiliu a day ago

      The issue is that the Finance dept will show up and ask why you chose the more expensive insurance. Sure, if you're able to show how much the annoyances of the cheaper company would cost you, they'd probably shut it. But I'd argue it's not that easy. Plus, all these annoyances aren't borne by the security team, so they don't care that much in the end.

      Reply View 1 reply
      • HappMacDonald a day ago

        My first thought might be to put together a report showing the cost that the cheaper insurance would impose upon the organization which the more expensive up-front option is saving you. Perhaps even serve that up as a cost-savings the finance department is free to then take credit for, I'unno. :P

        Reply View 0 replies
    • int_19h 9 hours ago

      > Forced password changes once every 90 days is dumb and slightly annoying but doesn't significantly impact business operations.

      It negatively impacts security, because users then pick simpler passwords that are easier to rotate through some simple transformation. Which is why it's considered not just useless, but an anti-pattern.

      Reply View 0 replies
  • jimmaswell 20 hours ago

    This is why everyone should have a union, including highly paid professionals. Imagine what it would be like. "No, fuck you, we're going on strike until you stop inconveniencing us to death with your braindead security theater. No more code until you give us admin on our own machines, stop wasting our time with useless Checkmarx scans, and bring the firewall down about ten notches."

    Reply View 0 replies
II2II 21 hours ago

> If an insurer says "we're going to jack up premiums by 20% unless you force employees to change their password once every 90 days", you can argue till you're blue in the face that it's bad practice, NIST changed its policy to recommend not regularly rotating passwords over a decade ago, etc., and be totally correct... but they're still going to jack up premiums if you don't do it.

I would argue that password policies are very context dependent. As much as I detest changing my password every 90 days, I've worked in places where the culture encouraged password sharing. That sharing creates a whole slew of problems. On top of that, removing the requirement to change passwords every 90 days would encourage very few people to select secure passwords, mostly because they prefer convenience and do not understand the risks.

If you are dealing with an externally facing service where people are willing to choose secure passwords and unwilling to share them, I would agree that regularly changing passwords creates more problems than it solves.

Reply View 2 replies
  • Aeolun 21 hours ago

    > removing the requirement to change passwords every 90 days would encourage very few people to select secure passwords

    When you don’t require them to change it, you can just assign them a random 16 character string and tell them it’s their job to memorize it.

    Reply View 1 reply
    • phito 8 hours ago

      There's no way I will ever remember it. I will write it down. Let me choose my own password (passphrase if I need to remember it)

      Reply View 0 replies
620gelato 16 hours ago

> jack up premiums by 20% unless you force employees to change their password once every 90 days"

Always made me judge my company's security teams as to why they enable this stupidity. Thankfully they got rid of this gradually, nearly 2 years ago now (90 days to 365 days to never). New passwords were just one key l/r/u/d on the keyboard.

Now I'm thinking maybe this is why the app for a govt savings scheme in my country won't allow password autofill at all. Imagine expecting a new password every 90 days and not allowing auto fill - that just makes passwords worse.

Reply View 0 replies
afiori a day ago

I believe that these kind of decisions are mostly downstream of security audits/consultants with varying level of up to date slideshows.

I believe that this is overall a reasonable approach for companies that are bigger than "the CEO knows everyone and trusted executives are also senior IT/Devs/tech experts" and smaller than "we can spin an internal security audit using in-house resources"

Reply View 0 replies
smeg_it a day ago

I'm no expert, but I did take a CISSP course a while ago. One thing I actually remember ;P, is that it recommended long passwords in in lieu of the number, special character, upper, lower ... I don't remember the exact wording of course and maybe it did recommend some of that, but it talked about having a sentence rather than all that mess in 6-8 characters, but many sites still want the short mess that I never will actually remember

Reply View 7 replies
  • vlovich123 a day ago

    While the password recommendation stuff is changing (the US government updating it guidelines last year), it’s generally best practice to not share passwords which itself implies using a password manager anyway which makes the whole “long passphrase” vs “complex” password moot - just generate 32 lowercase random characters to make it easier to type or use the autogenerated password your password manager recommends.

    The long passphrase is more for the key that unlocks your password manager rather than the random passwords you use day to day.

    Reply View 2 replies
    • kbolino a day ago

      There's also login passwords, and depending on how many systems you have to log into, these can be quite numerous. There are some attempts to address this with smartcards and FIDO tokens and so on, but it's not nearly universal yet. At least SSH keys are common for remote login nowadays, but you still need to log into some computer directly first.

      Reply View 1 reply
      • vlovich123 a day ago

        I find it rare to have a huge number of machines to log into that aren't hooked up to a centralized login server. Still, nothing prevents you from having passwords for each individual machine that needs it. It's cumbersome to type it in but it works, which is why I recommended all lowercase (faster to type on a mobile device).

        Reply View 0 replies
  • mcoliver a day ago

    entropy is stronger than complexity. https://xkcd.com/936/

    Reply View 3 replies
    • joseda-hg a day ago

      I wonder how many people have used Correct Horse Battery Staple as a password thanks to this comic

      Reply View 2 replies
      • D-Coder a day ago

        Ah, just mix them up randomly: Staple Battery Correct Horse!

        Reply View 0 replies
patrakov 19 hours ago

Worse. If you are not in the USA, i.e., if NIST is not the correct authority, that insurer might actually be enforcing what the "correct" authority believes to be right, i.e., password expiration.

Reply View 0 replies
josephcsible a day ago

Why wouldn't the IT people just tell the grumbling employees that exact explanation?

Reply View 7 replies
  • derektank a day ago

    IT doesn't always hear the grumbles, hidden away as they frequently are behind a ticketing system; the help desk technicians who do hear the grumbles aren't always informed of the "why" behind certain policies, and don't have the time or inclination to go look them up if they're even documented; and it's a very unsatisfying answer even if one receives a detailed explanation.

    Information loss is an inherent property of large organizations.

    Reply View 2 replies
    • decasia 19 hours ago

      > Information loss is an inherent property of large organizations.

      That's such an interesting axiom, I'm curious if you would want to say more about it? It feels right intuitively - complexity doesn't travel easily across contexts and reaching a common understanding is harder the more people you're talking to.

      Reply View 1 reply
      • resonious 12 hours ago

        On a more micro level, I find it very hard to write good documentation. I always forget something that once pointed out seems obvious. Or worse, the reader is missing some important context that many other readers are already privy to. Not to mention, some people don't even seek out docs before acting.

        I imagine this gets amplified in a large org. The docs are lacking, people might not read them anyway, and you get an explosion of people who don't understand very much but still have a job to do.

        Reply View 0 replies
  • the8472 a day ago

    In small orgs that might happen, in large orgs it's some game of telephone where the insurance requirements are forwarded to the security team which makes the policies which are enforced by several layers of compliance which come down on the local IT department.

    The underlying purpose of the rules and agency to apply the spirt rather than the letter gets lost early in the chain and trying to unwind it can be tedious.

    Reply View 0 replies
  • bigbuppo 20 hours ago

    If you've read this thread, it would appear that most people here on HN aren't actually involved with policy compliance work dictated from above. Have you ever seen a Show HN dealing with boring business decisions? No. We do, however, get https://daale.club/

    Reply View 1 reply
    • Aeolun 20 hours ago

      I think the problem is any time we are involved with policy compliance work it’s because we get a list with inane requirements on, and nobody to challenge in regard to it.

      Reply View 0 replies
  • maccard a day ago

    In a lot of cases the it people are just following the rules and don’t know this.

    Reply View 0 replies
Wowfunhappy a day ago

Maybe it wouldn't make a difference, but if I was the IT person telling users they have to change their passwords every 90 days, I would 100% include a line in the email blaming the insurance company.

Reply View 4 replies
  • foobarchu a day ago

    I'm not in an IT dept (developer instead), but I'd bet money that would get you a thorough dressing down by an executive involved with the insurance. That sort of blaming goes over well with those at the bottom of the hierarchy, and poorly with those at the top.

    Reply View 2 replies
    • Wowfunhappy a day ago

      The insurance people are not a part of the company, so I'm not sure who would be offended.

      I wouldn't be mean about it. I'm imagining adding a line to the email such as:

      > (Yes, I know this is annoying, but it's required by our insurance company.)

      What is the insurance company going to do, jack up our rates because we accurately stated what their policy was?

      Reply View 1 reply
      • int_19h 9 hours ago

        The problem is that this particular insurance company was picked by someone who does work in yours.

        Reply View 0 replies
  • bigfatkitten 21 hours ago

    You would probably have no idea what the requirement actually said or where it ultimately came from.

    It would've gone from the insurer to the legal team, to the GRC team, to the enterprise security team, to the IT engineering team, to the IT support team, and then to the user.

    Steps #1 to #4 can (and do) introduce their own requirements, or interpret other requirements in novel ways, and you'd be #5 in the chain.

    Reply View 0 replies