Security superstition/Security theater

Security theater is a rule requiring you to take off your shoes when you get to the airport. It doesn’t actually catch anyone, it simply makes people feel more secure, and it allows those in charge to feel like they’re doing something. Mostly, it’s a demonstration of power and authority, not a practical measure.

And security superstition involves putting security measures in place on a hunch, or because others are doing it.

This alert from a website run by Thomson Reuters manages to do both:

This is malpractice. No, it’s not a doctor giving you the wrong medicine, but it’s definitely someone who should know better making an error that will cost countless users a lot of time and money.

Long passwords work better than short ones. But impossible-to-remember passwords get written on post-its by people who haven’t yet realized that they need a password manager. Having people change their passwords often simply creates more post-its. Insisting on arcane rules is nothing but theater plus superstition.

The theater and the superstition compounds, creating mountains of cruft, layers and layers of misunderstood but accepted practices that waste our time and make our systems less secure, precisely the opposite of what’s intended.

Software runs our world. Building insecure, difficult to use and frustrating software and then forcing people to use it is easily avoided. But it requires leadership and insight, not mindless superstition.