Passwords – Security Theatre

by
security theatre

I thought I was done with passwords, you thought I was done with passwords, but what do you know I wasn’t, having personally suffered some security theatre!

Security Theatre

I am not sure where I first heard the term used, but let me quote Bruce Schneier on what it means:

“Security theater refers to security measures that make people feel more secure without doing anything to actually improve their security.” (Schneier. 2009)

I am not going to debate the serious security steps Schneier talks about in his article, many of which address the previous tactics used by threat actors, not the next ones they will deploy. The bottom line with security theatre is that it may not be a real security step but it makes people feel better as they see and feel a positive step for their better safety.

Which is not a bad move, unless that theatre undermines their real security.

Security Theatre and the Password

Which brings me to my recent experience of security theatre and how it could impact you and your organisation’s cyber security.

The Scenario

I have a NAS box on my home – not office – network and on it I store some music. Obviously I practice what I preach about passwords and MFA*. That means my password for the device is long enough that it would take a significant improvement in computing power for my password to be brute forced before the heat death of the universe (a term often used to illustrate the strength of a password!).

What I wanted to do was connect the music on my NAS to a very popular open-source, media player app (which uses a distinctive orange colour scheme). It should not have been an issue. I copied my NAS password from the secure storage and tried to paste it into the box – but I couldn’t. After several attempts I realised that, to make me feel confident in their app’s cyber security, the developer had disabled the paste command in the dialogue box.

Passwords – Security Theatre Cyber Awake

No copy and paste here – type in your password!

The Consequences of Security Theatre

In my case, I did not try and type in my password, life is too short for that. Instead, being a geek, I found another solution using another more secure app. Of course, another knock-on effect was that I get to write about security theatre.

For other less technical/cyber aware users the temptation would be to reduce the effectiveness of their current password, creating something easier, shorter, and simpler so it could be typed in. If you have been reading this mini-series on passwords, you now understand the consequences of that.

Next…

… one more think about security theatre and how it could impact your organisation’s cyber security.


Clive Catton MSc (Cyber Security) – by-line and other articles

p.s. The credentials shown in the login screen above are fictitious – obviously.

References

Schneier, B. (2009). Beyond Security Theater. Schneier on security. https://www.schneier.com/blog/archives/2009/11/beyond_security.html

* MFA – multi-factor authentication – see here.

Further Reading

Back to Basics – Passwords

Passwords – Back to Basics

Back to Basics – The Password Part 2

Back to Basics – The Password Keyboard Walk Part 3

Back to Basics – Password Sharing Part 4

Back to Basics Your Password the Finale Part 5

Back to Basics – One more thing about your passwords Part 6

Featured Photo by Monica Silvestre

Contact us for consultation

Wake up to cyber threats..

Passwords – Security Theatre Cyber Awake
HQ Based between Newark and Lincoln

Get in touch

CyberAwake
Unit 2 Kingsley Court
Kingsley Road
Lincoln
LN6 3TA
United Kingdom

01522 508089

useful links

Website Cookies Icon

This website uses cookies to ensure you get the best experience on our website. Click for more information.

accept & Close