Security “experts” – a rant
Some internet sites have ordinary security. They require an account and password for access, but they don’t go to special lengths. And then there are those who use a security expert (or a security BOFH). I’ll call those the “super-security” sites.
When I visit an ordinary internet site, I take reasonable care to use a good password. In fact, I generate that password with a random password generator to be sure that it isn’t easily guessed. I store a copy of that password in an encrypted file. But, mainly, I allow the firefox password manager to handle it. I did configure firefox to encrypt its password database, so that I have to unlock that once per firefox session. But then, logging into the site is rather simple, with firefox filling in the required information.
Things are far more secure at a super-security site. They set their system up, so that they won’t allow my browser to remember the password. So, of course, I do the obvious thing. Instead of using a random password generator, I just use an easy to remember password. And, because it is easy to remember it is probably also easy to guess. And, in addition to storing in an encrypted file of passwords, I also put a copy in an unencrypted file, so that I can easily use copy/paste to help me fill in their sign-on details. I’m so glad these folks are looking out for me and making things more secure.
I sometimes receive phishing emails. I expect that everybody does. These pretend to come from a site, they give me a url to a fake site where I am asked for a password. Fortunately, I am not easily fooled, so I have never fallen for one of those phishing scams. But let’s suppose that I was careless. If this were a site with ordinary security, then I would be using firefox to fill in the password. And firefox would notice that this was the wrong site and would not fill in the information. I would be protected, in spite of my careless with that phishing email. But if this were a super-security site, then because the site’s super-security has blocked the use of the firefox password database, I would not have that additional firefox protection against phishing.
Somebody, please tell these super-security sites that they are making me less secure.