top | item 46102102

(no title)

For 1, you can still have extremely malicious networks. It's true that your web traffic is likely encrypted but... What services are exposed on your machine? Do you have mapped samba shares?

For 5 - session cookies are one of the main things stealers look for. Deleting cookies is absolutely good advice until browsers build in better mitigations against cookie theft.

For 6 - if there was a standard interface how password managers could rotate my creds, I would sure as hell use it. Force rotating passwords is only "bad" if people need to remember them. Any random credentials stored in a vault absolutely should be rotated periodically, there is no reason not to.

I don't see the point of this letter, none of the "bad" advice they call out is harmful to security in any way, if people feel safer avoiding public wifi, so be it. Is it just a call out to other cisos to update their security hygiene powerpoints?

discuss

NegativeK|3 months ago

While you and I would love it if password managers would rotate creds, we're not yet at the point where people will use password managers. They're still using CompanynameFall2025!. Next month, they'll dutifully rotate their password to CompanynameWinter2025! because their work policy is still stuck on shitty standards.

> This kind of advice is well-intentioned but misleading. It consumes the limited time people have to protect themselves and diverts attention from actions that truly reduce the likelihood and impact of real compromises.

When you've got 15 seconds to _maybe_ get someone to change their behavior for the better, you need to discard everything that's not essential and stay very very far away from "yes, but" in your explanations.