So I was watching my Twitters earlier this week and someone shone me the proverbial Bat Light (which usually takes the form of “wow, look at this terrible security posture, cc @troyhunt”) at a tweet from Virgin Media in the UK where they attempted to justify a 10 character password limit:
“For the vast majority of users, simplicity is better which is why we've set the limitations where we have.”
Which is clearly terrible advice. I’d even go so far as to say it’s almost unbelievable, especially in an era where password guidance is now pretty explicit about these thingswith even the UK gov frowning upon practices like this. But hey, I’ve seen stranger things on the web.
A few days later, it was @PoIiceScotIand’s turn where they clumsily berated the value proposition of HTTPS outside of use cases which involve passwords or credit cards (a tweet that has since been deleted). This is by no means a new misunderstanding, indeed it’s one that happens time and time again. Many people are unaware of the value proposition of HTTPS nor do they realise that as of October, life is going to get increasingly difficult for websites without it. But as with Virgin Media, it was just another day on the internet.
Until people began pointing out that @PoIiceScotIand is not @PoliceScotland and in case that reads strangely, it’s only one you look at the account URL of the former with everything represented in lowercase that it actually makes sense: https://twitter.com/poiicescotiand/
The original tweeter is a parody account, although unfortunately bereft of a clear explanation of that fact yet replete with official police logo and identical account description, bar the first 2 characters. A penchant for impersonating the official police account whilst replying to people who were attempting to communicate with the real cops didn’t make things any less confusing. (Incidentally, several people subsequently pointed out that impersonating a police officer generally isn’t received real well.)
But here’s the point and it’s really not about a fake police account alone: we’ve gotten to the stage with security now where I genuinely have no idea whether a story is legit or not. People have always fabricated stories, no changes there, but rather the security landscape has gotten so weird that the truth is often stranger than fiction.
A little while back I wrote the Here, hold my beer… post that highlighted many of the ridiculous things that have become the norm. Sites putting passwords in cookies for the “remember me” feature, a company logging a bug report with Mozilla because Firefox now shames logins with no HTTPS, a security question that was simply “What’s the capital of California” and much, much more.
Whilst we’re clearly in an era where “fake news” is a real thing and we’re all pretty unhappy about that, it’s not the fake security reports I’m worried about, rather it’s the fact that the real ones show we’re in some serious dire straits. And as for @PoIiceScotIand, I suspect they may be well on their way to a call from @PoliceScotland.