A Realistic Threat Model for the Masses

I'm one of those people who has made fun of password books for being an example of horrible security practices. But I'm starting to realize that I was wrong. For some people, overly restrictive security advice is doing more harm than good. For those who can't easily navigate more secure solutions, writing a password down and keeping it locked up in your home is far better than reusing passwords.

While threat modeling is something we often ask businesses to do to determine the level of risk posed by certain vulnerabilities, we seldom ask individuals to do the same thing. Instead, we just give everyone the same sort of blanket suggestions, often implying that it's necessary for everyone to protect themselves against state-sponsored attackers.

This can lead to people devaluing threats that realistically could come from within their own homes, such as in the case of domestic abuse, which in this day and age almost invariably includes monitoring the victim, including online. Bottom line: When hurdles are so massive that using computers becomes impossibly difficult, people give up, opting instead to do as little as possible to protect their data and devices.

This is definitely a case where "perfect is the enemy of good."By dissuading people from using more convenient and usable security methods, we're discouraging them from taking any meaningful steps toward a safer Internet experience. Here are a few other examples of things I frequently hear security practitioners warn laypeople against:

Biometrics
Authentication will be a recurring theme here: Usernames and passwords are really not sufficient by themselves anymore, especially because people do such a poor job with them on the whole. We all have dozens (if not hundreds) of accounts that require a login, and it is simply not reasonable to expect people to remember strong, unique passwords for that many accounts.

Many people "solve" this problem by choosing crummy passwords, or reusing one password for every account, both of which are horrible solutions to the problem. Many of us suggest password managers, which can be a great solution for a lot of people. But there's also those security practitioners who pooh-pooh this option because it's "imperfect" to have a single point of failure, or because sometimes password manager products have vulnerabilities, or whatever other frustrating reason.

While biometric authentication can certainly be circumvented, it beats the heck out of using a weak password, reusing a password, or using no password at all.

SMS for 2FA
We've all heard about the various ways that two-factor authentication (2FA) can be broken by a sufficiently determined adversary. That's something for security practitioners to be aware of, so we don't get complacent. But for the average person, a 99% success rate against account takeovers is really quite sufficient. We all need to be using 2FA wherever it's available, in the most secure form we can get. If that form is "just" SMS, it's a whole lot better than just using a username and password alone.

Legacy Security Products
Regardless of what operating system people are on, or what particular type of security product works best for their situation, everyone needs something that helps protect against malicious code. If I had a nickel for every time I heard someone say that "antivirus is dead" because it doesn't detect 100% of new attacks, I'd be having a very fancy lunch right now. I won't even get into the arguments over "next-gen" versus established anti-malware products, or the old trope that "Macs don't get malware," or instances where security products were found to have vulnerabilities.

Charging Cables
The caution against using someone else's charging cables came up again just recently. While I would probably still advise people against charging in any old charging station — particularly ones in public spaces — I wouldn't go so far as to say you should never borrow a charging cable at all. If you trust someone well enough to travel with them, or work with them or something along those lines, you should be OK if you borrow their charging cable.

Frequent Password Updating
"Passwords are like underwear. They should be kept private and changed frequently." I'm delighted to announce that we all need to stop using this underwear analogy. NIST announced two years ago that we need to move away from asking people to periodically change their passwords, or enforcing complexity requirements. While we're at it, can we also stop preventing people from copying and pasting passwords, too? I honestly don't know what threat this is supposed to prevent; in practical application, it only seems to prevent the use of password managers.

I suspect the instinct to tell people why they shouldn't use "imperfect" security practices is, at least in part, to demonstrate how l33t we are. But this practice is making the Internet a much less usable place, and we need to bring that to an end. People should use whatever methods allow them to move the needle toward a safer surfing experience meaningfully, given their own particular threat model.

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's top story: "Can the Girl Scouts Save the Moon from Cyberattack?"