> Password Reuse: 49% of respondents use the same login credentials for multiple work applications, and 36% use the same credentials for personal and professional accounts.
If your company has multiple things you need to log in to, its doing something wrong. Having company-wide single login system is really critical for good security.
> 30% of employees share their workplace passwords with colleagues, effectively nullifying the protections offered by unique credentials or MFA.
This also suggests something is setup wrong in the company (lack of giving people correct access?). Normally sharing passwords should be harder than not sharing, if you have to log out of a global account to log in as another one.
Security is all about incentives. If employees are incentivized to act insecurely, they will. Its not the employees fault, its the people who setup the system in such a way that encourages people to act insecurely. Good security is all about aligning incentives to control risk.
> If your company has multiple things you need to log in to, its doing something wrong. Having company-wide single login system is really critical for good security.
It absolutely is, but it is only applicable to large corporations and won’t help any SMBs. The issue is that this functionality via LDAP/SAML/OODS is frequently locked behind enterprise subscription tiers that usually represent an extremely high markup over other paid tiers.
Even in larger corporations, it often not possible to have SSO everywhere. We have multiple „shadow IT“ subscriptions for services that only our team uses. Most of them don’t offer SSO functionality, even for those who do a user base of 5 people is not going to be sufficient to have someone from the responsible departments deal with it. So we have passwords
FreeIPA and Authentik works pretty well for me, I did some of this for my self with terraform for fun. Personally I don’t think it’s viable SMB who can’t hire a couple of sysadmins.
But the documentation for FreeIPA is especially good. Personally wouldn’t use samba as windows DC, but one legacy windows server license seems reasonable if you are having a few hundreds of employees.
In a previous job we’ve done Windows DC + Azure AD + FreeIPA + FreeRadius just fine, the entire setup is not super complicated, but still a headache. I think nowadays most of the thing can be terraformed so it could be easier and more scalable for growing SMBs.
> If your company has multiple things you need to log in to, its doing something wrong.
It is inevitable. The SSO tax is often very high and for some products very difficult to justify. And then of course the large tail of smaller vendors that just don't support any SSO period.
> Normally sharing passwords should be harder than not sharing
Talk to marketing, they all share passwords to all the company media accounts because it is often the only way, those vendors don't support anything else.
Kind of like sudo. Your individual identity is allowed to assume the privileged identity after providing an additional factor/justification (and your access has a TTL).
Maybe if you work at a unitary company with a narrow scope of work. If you have to login to external systems belonging to other organizations, or have terminals for external systems in your facility, unitary identity is not an option.
I work at a large software company and recently documented the number of steps it takes me every morning to fully log into every system I need for work. I stopped at 37.
And every year in response to all the breaches in the news the company spends more money to hire another security team who simply pile on another redundant layer on top.
The industry has jumped the shark when it comes to IT security. It's the corporate equivalent of spending tens of billions of dollars on the TSA and making everyone take their shoes off at the airport. Meanwhile someone with intent can stroll into JFK, casually bypass all security checkpoints and get on a plane to Paris without a boarding pass.
I work for a large consulting company (300k+ employees globally) and 99% of our internal resources are all secured by Ping. One identity and MFA app. SSO between just about everything. The client I'm currently working for with that company has all of their auth handled by Entra. All their internal docs, their azure subscriptions, their gitub repos. All the same user identity. Shit IT isn't inevitable. It's a decision, or often lack of a decision and result of "organic" growth.
Same here. We had a very fragmented landscape (multiple idp tools, some tools using internal users,...). We consolidated everything to entra (450 apps and counting) and everybody couldn't be happier. Full sso on everything + scim where available.
We do offcourse have conditional access + PIM for admins but that is to be expected.
You just need a good strategy on how you are going to tackle IAM and then just stick to it.
That's security theater. Some decision makers want to "see" it's secure, so that's what some "security" people sell. If I was doing consultation for your employer, I'd tell them that's insane and that they will only push people to circumvent security instead of embracing it.
Others made good points, a decent SSO is the way to go.
(Ironically we also have an internal system that's equally degenerate and mostly a shitload of useless theater; it's secure of course, but there are a few pointless layers stacked on top of what makes it actually secure)
Security is usually defined as confidentiality, integrity and availability. (Not in order of importance, just to spell “CIA”).
If it takes that long to log in, the system is not available, and therefore insecure. Full stop. The security team responsible for that setup should be fired.
In related news, I’ve been watching old murder mysteries from the ‘60s.
Typical plot points include the fact that you can decide to fly from Los Angeles and arrive anywhere on the west coast with in 2-3 hours because the planes leave every 30 minutes.
Why wouldn’t you just walk up to the gate and buy a ticket?
This skipped the main reason employees do this: The cybersecurity measures are widely perceived as "security theater", rather than anything that actually enhances security.
Logging me out of an application, where a re-login requires nothing more than a click, is a stupid thing to do. Blocking outgoing (not incoming) ssh is silly when I have outgoing http. Requiring MFA multiple times a day on a work computer that is already secure is overdoing it.
Mostly corporate security is about ass coverage, not about prevention of problems. Though that can be a useful side effect. Ass coverage is about legal liability. If something bad happens, can I wash my hands in innocence and not suffer consequences (financial, legal, etc.)? If "no", take measures until you can because this could get very expensive.
Then the next question is "whose ass". Answer: literally anyone: service providers, your head of IT (who might get fired), your head of sales (who might have to explain to customer lawyers why their data leaked), the CEO, etc. They don't want to be on the spot for your mistakes. For public companies this is worse because now you have publicly traded shares in a very litigious environment with people looking for weaknesses that can be exploited to squeeze money out of any situation. And of course some of the tools in this space are made by publicly traded companies too.
The easiest way to deal with security is applying a shotgun approach of applying any kind of stuff that is vaguely understood to maybe work. The actual effectiveness of these things is besides the point and of course much of it is snake oil. The point is that there are policies and they are being enforced. The more visible and annoying this is, the more effective it is in case of trouble as a means to say "well it wasn't my fault because we did X, Y, and Z".
And of course a secondary effect of putting people on the job of securing a thing is that they will get busy doing their job to justify their existence. Which usually means a whole bunch of policy documents get written, tools get selected (preferably ones with big shiny reputations), and a lot of complexity gets introduced. There will be audits, consultants being consulted, chins being stroked, and a lot of money changing hands all for the assertion that "your ass is covered!" and by extension "theirs" as well. There are whole meta levels of ass coverage here.
That's why security theater is a thing. Because there is a large audience of people that all need to be re-assured about having suitable amounts of ass coverage.
Always assumed they block everything they cannot spy, it's not for security. Https they inject their certificates, ssh you can have your key and they'll be blind. And they spy to prevent exfiltration they say. I cannot ssh into my home network but I can drop tons of company code into an LLM prompt.
Everything else, MFA, password rotations, approved software, stupid training videos... is all there to tick some boxes in a certification process or to easily shift the blame when something bad happens.
You can just encrypt your stuff and upload it via http. You can even run ssh over http if you work at it.
Encryption is as easy as using zip. And if you uploaded a very large file, they can't realistically log it - so you could even upload it in the clear and it won't be caught unless they are specifically looking.
Because of MITM-ing TLS with their own certificates, they could also stop you from dumping tons of code into an LLM prompt by blocking all public LLMs (or even all sites not on an allowlist).
The reason it's silly is really that you can always take "secrets" with you, be it by taking photos with your phone ("lets ban phones") or memorizing or writing on paper. Security is useful when it prevents accidental, inadvertent leakage of information ("stop me from shooting myself in the foot"). Anything else, and the inconvenience will make people figure out ways around it.
And the real reason people won't leak information is either ethics and morality, or legal liability.
> Employees often view security protocols as cumbersome. Long, complex passwords, frequent logins and multi-step authentication can feel like barriers to productivity.
This resonates. Juggling Okta and 1P a few times a day is a drag
Yes, everything is downhill from the convenience. It's the most basics of things, if there's friction or obstacles, people will go around. And, boy, do companies put up some obstacles:
Does your Intranet site not work with my password manager? Do I have to carry a hardware token generator with me, everywhere I go? Do I need to use an arcane VPN technology to get to your company-approved tool? Are you still making me rotate passwords every six weeks? Are you still making me use bad p@ssword$123 with outdated password policies? Are you logging me out of email every four hours to cycle me through the multi-step login process, even though I'm on a secured-by-you company device?
I think in the security industry, password complexity requirements and frequent re-logging in have been considered bad practises for a while now. Alas they are still seen in places.
Obviously. The processes for getting an official exception to cybersecurity practices for a legitimate reason are always slow and agonizing, and the people on the other end are incompetent and condescending.
Why would you make such a blanket generalization? The security team where I work is comprised of competent professionals and generally nice people to boot. Our CISO is a great guy to have a beer with. We've had our disagreements, but they've been of the "smart people championing conflicting business values having a reasonable discussion" variety.
Do a test. Go to distant office and call IT pretending to be the person who works in that office, with his/her cooperation. See how fast the problem is solved and how you are treated.
And that still leaves someone not being able to do their job for a number of hours or a number of days while those "reasonable discussions" are ongoing.
It is a hard problem, and the implied solution of "be even more restrictive" is only going to make matters worse.
When I was at MS, I wrote a detailed guide how to trick the central IT system into thinking that your machine had the antivirus software running when it did not. It eventually, years later, got forwarded back to me as some sort of underground currency (with my authorship removed).
I was reasonably impressed by MSFT IT when I worked there. I was primarily a BYOD Mac user and only had to deal with IT two to three times over the course of 8 years. I took it for granted at the time because I came from the startup work where you're basically your own IT person. But other large companies after Microsoft clearly demonstrated to me that Microsoft is on top of their shit and the average is fucking terrible.
This was in the 90s, other than the AV issue, they got high marks from me. I even had a linux and freebsd machine running attached to the corp net with no issues, they did not touch MS infra. The average is indeed terrible.
AviD's Rule of Usability: "Security at the expense of usability, comes at the expense of security."
Security companies should have more focus on the usability aspect of their product. Some of the enterprise products you see today are just plain bad in terms of UX/UI, and funnily enough, they aren't getting called out since they're only used in the workplace/closed groups.
this is why i have a problem with flatpacks. i’ve tried using an immutable distro with flatpacks and it’s made me want to disable every flatpack security measure because it’s even harsher and less usable than macos’s sandboxing. i don’t know what their goal is but it’s definitely not usable if i can’t connect 1password to my browser or i struggle to get steam to access another drive
Yeah there's a certain amount of effort most people are willing to put in to do something. If it's too high, it won't happen. Yet at the same time a certain baseline is needed to not end up being low hanging fruit for attackers.
I've also seen this, especially in security tools. The usability is often straight out of the 90s which keeps me wondering, who uses this voluntarily?
Staying up-to-date with security updates might also mean you get breaking updates, or updates that have counterproductive changes, or downgrade your capabilities or privacy. and why do updates take so long to apply?
also password re-use? sso can fix this. (but if you have to automate things, companies have a varied track record on credentials)
Readit News
If your company has multiple things you need to log in to, its doing something wrong. Having company-wide single login system is really critical for good security.
> 30% of employees share their workplace passwords with colleagues, effectively nullifying the protections offered by unique credentials or MFA.
This also suggests something is setup wrong in the company (lack of giving people correct access?). Normally sharing passwords should be harder than not sharing, if you have to log out of a global account to log in as another one.
Security is all about incentives. If employees are incentivized to act insecurely, they will. Its not the employees fault, its the people who setup the system in such a way that encourages people to act insecurely. Good security is all about aligning incentives to control risk.
It absolutely is, but it is only applicable to large corporations and won’t help any SMBs. The issue is that this functionality via LDAP/SAML/OODS is frequently locked behind enterprise subscription tiers that usually represent an extremely high markup over other paid tiers.
Even in larger corporations, it often not possible to have SSO everywhere. We have multiple „shadow IT“ subscriptions for services that only our team uses. Most of them don’t offer SSO functionality, even for those who do a user base of 5 people is not going to be sufficient to have someone from the responsible departments deal with it. So we have passwords
But the documentation for FreeIPA is especially good. Personally wouldn’t use samba as windows DC, but one legacy windows server license seems reasonable if you are having a few hundreds of employees.
In a previous job we’ve done Windows DC + Azure AD + FreeIPA + FreeRadius just fine, the entire setup is not super complicated, but still a headache. I think nowadays most of the thing can be terraformed so it could be easier and more scalable for growing SMBs.
It is inevitable. The SSO tax is often very high and for some products very difficult to justify. And then of course the large tail of smaller vendors that just don't support any SSO period.
> Normally sharing passwords should be harder than not sharing
Talk to marketing, they all share passwords to all the company media accounts because it is often the only way, those vendors don't support anything else.
How does that work for privileged accounts?
Unless you’re paying for Okta and Office365 and Workspace, you’re only getting maybe 70% of systems _you know about_.
And don’t get me started on automated provisioning or deprovisioning.
Does Big Tech even allow multiple accounts? When watsapp asks a phone number to register, what do you type?
And every year in response to all the breaches in the news the company spends more money to hire another security team who simply pile on another redundant layer on top.
The industry has jumped the shark when it comes to IT security. It's the corporate equivalent of spending tens of billions of dollars on the TSA and making everyone take their shoes off at the airport. Meanwhile someone with intent can stroll into JFK, casually bypass all security checkpoints and get on a plane to Paris without a boarding pass.
We do offcourse have conditional access + PIM for admins but that is to be expected.
You just need a good strategy on how you are going to tackle IAM and then just stick to it.
Others made good points, a decent SSO is the way to go.
(Ironically we also have an internal system that's equally degenerate and mostly a shitload of useless theater; it's secure of course, but there are a few pointless layers stacked on top of what makes it actually secure)
Sounds like your organisation is extremely dysfunctional, and the ridiculous security you have is a symptom of that. None of that is inevitable.
If it takes that long to log in, the system is not available, and therefore insecure. Full stop. The security team responsible for that setup should be fired.
In related news, I’ve been watching old murder mysteries from the ‘60s.
Typical plot points include the fact that you can decide to fly from Los Angeles and arrive anywhere on the west coast with in 2-3 hours because the planes leave every 30 minutes.
Why wouldn’t you just walk up to the gate and buy a ticket?
Why do we put up with this TSA bullshit?
Logging me out of an application, where a re-login requires nothing more than a click, is a stupid thing to do. Blocking outgoing (not incoming) ssh is silly when I have outgoing http. Requiring MFA multiple times a day on a work computer that is already secure is overdoing it.
Then the next question is "whose ass". Answer: literally anyone: service providers, your head of IT (who might get fired), your head of sales (who might have to explain to customer lawyers why their data leaked), the CEO, etc. They don't want to be on the spot for your mistakes. For public companies this is worse because now you have publicly traded shares in a very litigious environment with people looking for weaknesses that can be exploited to squeeze money out of any situation. And of course some of the tools in this space are made by publicly traded companies too.
The easiest way to deal with security is applying a shotgun approach of applying any kind of stuff that is vaguely understood to maybe work. The actual effectiveness of these things is besides the point and of course much of it is snake oil. The point is that there are policies and they are being enforced. The more visible and annoying this is, the more effective it is in case of trouble as a means to say "well it wasn't my fault because we did X, Y, and Z".
And of course a secondary effect of putting people on the job of securing a thing is that they will get busy doing their job to justify their existence. Which usually means a whole bunch of policy documents get written, tools get selected (preferably ones with big shiny reputations), and a lot of complexity gets introduced. There will be audits, consultants being consulted, chins being stroked, and a lot of money changing hands all for the assertion that "your ass is covered!" and by extension "theirs" as well. There are whole meta levels of ass coverage here.
That's why security theater is a thing. Because there is a large audience of people that all need to be re-assured about having suitable amounts of ass coverage.
Everything else, MFA, password rotations, approved software, stupid training videos... is all there to tick some boxes in a certification process or to easily shift the blame when something bad happens.
Encryption is as easy as using zip. And if you uploaded a very large file, they can't realistically log it - so you could even upload it in the clear and it won't be caught unless they are specifically looking.
The reason it's silly is really that you can always take "secrets" with you, be it by taking photos with your phone ("lets ban phones") or memorizing or writing on paper. Security is useful when it prevents accidental, inadvertent leakage of information ("stop me from shooting myself in the foot"). Anything else, and the inconvenience will make people figure out ways around it.
And the real reason people won't leak information is either ethics and morality, or legal liability.
This resonates. Juggling Okta and 1P a few times a day is a drag
Does your Intranet site not work with my password manager? Do I have to carry a hardware token generator with me, everywhere I go? Do I need to use an arcane VPN technology to get to your company-approved tool? Are you still making me rotate passwords every six weeks? Are you still making me use bad p@ssword$123 with outdated password policies? Are you logging me out of email every four hours to cycle me through the multi-step login process, even though I'm on a secured-by-you company device?
We recently had to add that for $bigco requirements at $dayjob, I was stunned: they asked to log people out after — IIRC — 1h inactivity.
Do a test. Go to distant office and call IT pretending to be the person who works in that office, with his/her cooperation. See how fast the problem is solved and how you are treated.
It is a hard problem, and the implied solution of "be even more restrictive" is only going to make matters worse.
Security companies should have more focus on the usability aspect of their product. Some of the enterprise products you see today are just plain bad in terms of UX/UI, and funnily enough, they aren't getting called out since they're only used in the workplace/closed groups.
I've also seen this, especially in security tools. The usability is often straight out of the 90s which keeps me wondering, who uses this voluntarily?
And there are lots of confounding factors.
Staying up-to-date with security updates might also mean you get breaking updates, or updates that have counterproductive changes, or downgrade your capabilities or privacy. and why do updates take so long to apply?
also password re-use? sso can fix this. (but if you have to automate things, companies have a varied track record on credentials)