I have seen this phenomenon especially at a couple of FAANGs over the past couple of years. Things are getting locked down so much, and so many special permissions are required that now people ask for permissions to systems or procedures preemptively. Because by the time they know if they will need it or not, it's too late.

And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.

> And no one in the security business seems to consider the overall burden of yet another step. Each of which is simple in by itself, but cumulatively they are a giant hassle, and so people look for workarounds.

This is certainly not true. I personally consider how much friction things introduce for users, things like normalizing having to reenter your password too much making phishing easier, and so on. It's well understood that you will get shadow IT, which is worse, if you make doing things the right way too difficult. I regularly advocate for streamlining processes and procedures, introducing more user-friendly systems, hosting office hours where the security team is available for any question or concern you have making us more available to the company, etc.

What's the issue? Well, for one, there's a ton of incompetent people in the field, so they'll just do whatever to make themselves look like they're working. Two, most security departments are criminally understaffed, so even if you have competent people they just have to put things together quickly and can't clean it up. Three, there's tons of idiotic regulatory and legal requirements that take forever to modernize. And finally, half of security is playing politics and arguing with the rest of the company, meaning that half the time the solutions you get are a slop of compromise with which nobody is happy.

TL;DR we aren't psychopaths without empathy, we struggle for the same reasons you developers have tech debt and other things that suck even though you would prefer not to.

The best security is security so good nobody notices it breaking.

Not really new. A long time ago I had to wait 2 months to have access to a shared folder on a development server.

It became so prevalent that whenever we were planning anything, if a task had to be done by someone outside of our team, we added 20 days.

Security through eternity I guess ?

The "20 days buffer" heuristic is painfully accurate. On a project I worked on we eventually built a spreadsheet tracking which teams had which approval chains and estimated wait times, just to sequence work around the bottlenecks. At some point managing access became its own full-time job.

Preemptive permissions sound like rational adaptation, not failure. People gaming the system to stay ahead of it means the system is still being used - that's compliance, not fatigue. The problem you're describing is bad tooling UX, not too much security. Those are fixable separately.

thats part of why NIST updated their password rotation recommendations from 90 days to indefinite: people pay lip service to security if it is too inconvenient. you have to try to meet people where they are.

Preaching is not a strong motivator for long.

It's not just about "convenience", it is hard for the human mind to remember a truly random password. You can try all the mnemonic tricks you want but at the end of the day it requires a lot of time and repetition before entering the password is effortless. So what people do is create a stream of derivable passwords. For example, I can think of a phrase "I love beach balls bouncing on the ocean!" and then make a password "ilBBbotocean!" and when it comes time to change that password, I'll just add a number "ilBBbotocean!1". Studies have shown this is what people do. But it is easy for attackers to also derive these passwords once one password in the chain has been compromised.

The effect of that is that by requiring frequent rotation, the organization is effectively training their users to have a single permanent password and to never change it, even after a compromise. That's extremely harmful. At least with permanent passwords that are force rotated after they show up in database or there has been an incident, you have a much higher percentage of compliance with making new passwords, and the organization is safer because everyone isn't using passwords derived from the previous password.

Every time I log into the FTB (CA tax authority) website I have to set a new password. I wish there were some affirmative guidance to stop doing this because at the moment governments still think forcing password changes makes it “safer”.

Most federal orgs still have 60 day password rotation requirements in place, even though NIST gave guidance almost 10 years ago not to do that.

What does that mean? Passwords are stored in textiles accessible by admin only, and shared. And everyone is worse for it.

The level of lockdown in current years is wild. With our 2FA requirements and SSO, signing into GitHub every morning takes me something like eight clicks and a solid minute. Everything has gotten so locked down in recent years, people are working so hard to protect what are largely basic CRUD apps

Interesting, my company’s GitHub SSO works fine. They use Okta. The main account stays logged in, but the SSO account expires every day or so. But Okta Fastpass means the flow is “click login, click use fastpass, use fingerprint for Touch ID” and you’re golden

That’s fine as long as you are kept logged in or at least have an abbreviated login process after successfully authenticating in the morning.

CRUD apps can contain very sensitive data, so not sure how that’s relevant.

Would have been less if GitHub had just allowed proper SSO instead of this hybrid account mixing.

I get that the hybrid method might be desirable for contractors or similar who have many hats, but for a regular employee it just adds friction for no benefit.

I think security became part of compliance so security recommendations got detached from actual security. It seems like a lot of security recommendations are just busy work that justifies having a huge compliance industry. So an example of this might be security scanners for code where the output is not even useful. But using the tool, which searches for irrelevant findings, is required for compliance even if it basically does nothing for security.

Who watches the compliance industry?

There's decent evidence for this — the term "security theater" predates compliance culture, but compliance did seem to accelerate the decoupling you're describing. The research on this calls it "checkbox security." The trouble is even practitioners can't always distinguish genuinely useful controls from cargo-culted ones, so the whole stack ends up treated with the same skepticism.

Every time I see the term “SSO” I want to vomit. That does not exist any more. On my projects, there are literally dozens of systems each with their own siloed authentication systems. Just to throw out some of what I deal with: OKTA, MFA, MS 365, AWS, PIV/CACI, YubiKey, proprietary user name/passwords, IAM, OAuth, federated identity services, RSA, just off the top of my head. My single biggest fear is losing some or all of my credentials in sone catastrophe, so I keep my credentials in multiple places, including on my own phone and everyone else I know does the same thing. I have tried using password managers but one time my password database got corrupted and I lost everything, so now I just use plain text files - all of which is behind locked systems anyway (including my own phone). It’s maddening.

My Steam password is one short weird phrase that I can remember. I haven't changed it since high school, ~15 years ago. Never had any security issues.

The modern landscape is frustrating because that setup actually works. Passwords, from a technical perspective, are actually great and are are bulletproof as long as they don't leak. No 2FA required. The entire issue is data leaks and phishing.

This is a much bigger problem than just security.

Incidents are inevitable at scale, but risk management at scale is an append-only operation that eventually becomes so complex and suffocating the only recourse is noncompliance.

Even going to the doctor I find myself pleading with the staff to just let me see my PCP instead of going through the full process. It takes 30 minutes now to get through the opening interrogation about overseas travel, human trafficking, vaccine awareness, anxiety and depression panels, domestic violence questions, multi-part questions about recent falls, and everything else that they keep tacking on. Usually in triplicate, waiting room forms, questions from the nurse, questions from the doctor.

And I know behind each of these individual decisions there is a horror story or someone proactively trying to prevent one, but altogether they create their own.

And now we're at the threshold of the next level of security fatigue: permission fatigue.

It's shocking how little people are paying attention to this upcoming security nightmare. It wouldn't take much for a bad actor to poison an AI session to wait for you to start selecting yes, yes, yes and then slip in something bad.

Absolutely. Easier said than done, but the best security is structural security - as near to invisible for end users as possible. This needs to be the goal, imo, even if not fully achievable.

Fairly obvious? Or isn't it that way for everyone?

Very obvious, but things that seem obvious might not actually be true. It is worth verifying.

Getting organisations to act on the obvious if it requires changing is harder than you might think. Having research to point to and saying you are doing the wrong thing and now you've been told is like turning the lights on and off really quickly and moaning "Liability" in a spooky voice.

Fair enough. I had a hard time advocating for good password flows because "standards" said frequent rotation etc.

And tbh when you apply those standards with context and are faced with people bare-minimum pointing at the standards, you sometimes come off as less knowledgeable - such is the authority of research/standards.

Anyway, I skimmed your profile and learnt a new word, milquetoast - so thanks for that!

Nice to see SUNY Albany on here!

At some point I need to ask Corporate IT for my justification logs for every elevation request. I'm certainly sure I've submitted at least a couple hundred "because I said so"s and at least three Bee Movie scripts.

Was talking with someone about this yesterday. From cold start, for me to get to the VM I do my actual work on I have to

1. Enter a password to decrypt the computer

2. Enter a username and password to log into my account

3. Enter another set of credentials to access the corporate VPN

4. Enter another username and password to access the network the VM is on

5. Enter another username and password to get to the actual machine

6. And then navigate a nest of authorization for docker/git/etc to actually do anything useful

Amateurs. Where is a JIT portal - to raise a ticket in order to access prod VMs?

The number of times I have to "single sign on" is truly maddening.

At least you can tick the "stay signed in" checkbox and... get kicked out a few hours later with a smug "you successfully signed out" message.

Who could have guess bombarding users with 2FA, 3FA, MFA requests to their phone 20 times a day would cause fatigue!

Some personal highlights spread across multiple jobs:

- IT decided they'd make some awful SharePoint page the browser homepage for Chrome via group policy. That page required you to login to your Microsoft account. If it was a Monday morning you'd have to authenticate via SMS just to see your homepage, or, what I did usually was ignore it. Every time I opened a new browser tab I'd get a new SMS. This went on for weeks at a time, maybe 50 SMS per day, out of spite. Eventually they disabled that crap. Anyone that deals with Microsoft logins knows that "Remember me" is almost totally a fake option that does nothing on purpose. [1]

- VPN that requires logging into your Microsoft account, which then sends you a notification to Microsoft Authenticator app, which requires a face scan, followed by typing in a code, followed by another face scan. At no point in the design process of that did someone think typing the code was redundant.

- Despite being a software engineer, able to produce executable binaries at will, which all seem to be trusted by our security software, I still need to talk to IT maybe 5 times a month to get <very popular well known widespread development tool> approved by the security software.

- Bonus points for the previous one, I often need to manually provide the exact DLL's used by the above. Every update means new file hashes, meaning repeating it all over again.

- Local admin rights to my work machine and yet for whatever reason IT make us type a password to open Windows Task Manager.

- Telling us all they have bought Copilot licenses we should use, only for IT to ring you almost immediately after using it because their corpo-garbage firewall starts throwing a fit about Copilot's requests to github.com, despite us already using GitHub.

[1]: https://www.bbc.com/future/article/20150415-the-buttons-that...

> approved by the security software.

lol, had this moment with netcat (because it can be used by haxorz!111)

Just get off as many of these platform as you can. That’s about the only security that you’ll ever get. If you are still in the Matrix, listen the weirdos on here that take “don’t trust anything” seriously to the point of absurdity.

The Matrix was not fiction. Our modern internet is a system. You have to figure out how to live truly free from it, because it absolutely owns you.

__

Revelation 13:16–17

“And he causeth all, both small and great, rich and poor, free and bond, to receive a mark in their right hand, or in their foreheads: And that no man might buy or sell, save he that had the mark…”

Saw this exact cycle play out at Sun in the early 2000s. Mandatory password changes every 30 days, badge readers on every door. Within six months everyone had passwords on sticky notes and propped doors with chairs. Security theater breeds workarounds.