Security Awareness Blog

*sigh* - Example of Really BAD Security Awareness

Security awareness is tough. So I get frustrated when I see really bad advice published. I even get more frustrated when people know they are publishing bad advice, but continue anyways because they care about marketing, not providing value.

An infographic was published on passwords, specifically "Duh, The Easiest Way to Stop Hackers is Passwords". Passwords are a very important security control, and one of the most difficult to teach, as I discussed last week. The folks that created this infographic contacted me asking if I would promote it. However I turned them down, as the information is FUD loaded and in several cases dead wrong. I explained their mistakes to them in the hopes they would fix them, instead they shopped around until someone else would post it. My two biggest concerns with the infographic?

  • FACT #1. 92% of top 100 paid iOS apps have been hacked.

Wow, that is scary! To me this implies that 90%+ of apps on iTunes are hacked and infected. However, if you take a moment and read the source you discover the survey actually analyzed the number of CRACKED iOS apps you can find outside of iTunes (Cydia) once you jailbreak your iPhone. In reality, Apple's whitelisting approach with iTunes has created one of the most secure ecosystems for apps.

  • FACT #2. 8 character password is the most secure as it requires 463 years to be cracked.

I guess this is true as long as you are using mom's three year old computer for brute forcing. Cloud computing and Rainbow tables anyone? I ran their suggested password through several password cracking calculators, average time to crack is 18-24 hours, not 463 years. Great, we now have people believing 8 characters is the best password. What we should be teaching people is the importance of password length, of passphrases.

Security awareness is tough enough without mis-information like this.