We preach security best practices all day long, but we fail to realize how totally inaccessible our advice can be to those without a foundational understanding of technology. 1/12
I just helped my neighbor set up a Roku. They are an older couple that has never worked in tech centric jobs. To them, using the Internet on their PC is still new and confusing. 2/12
They have a notebook with all of their accounts and passwords written down, but it is a confusing mess. They don't really understand the concepts of "accounts" very well, and keeping passwords updated in the book is a real challenge for them. 3/12
To them, just using unique passwords, let alone special characters and a mix of capital and lower case letters, is a liability that will make it too hard to manage and type their passwords correctly. Usability can't trump security, right? 😭😭 4/12
Passphrases can help, but when dealing with folks that have trouble remembering what their Google account is in the first place, we have to remember how far we have to go still. 5/12
We think that recommending password managers will solve this problem, but for non-technical folks, a password manager can be a complex tool to use with a steep learning curve and admittedly, somewhat poor UX for non-techies. 6/12
I helped them get their Roku set up, but in the time I had with them, going into security awareness training wasn't in the cards today. 7/12
I had to recognize that recommending they go and change all of their passwords was going to be an insurmountable task for them without quite a bit of guidance and hand-holding. I can just see them locked out of every important account. 8/12
Before they can do that, they need a better way to generate and manage their new passwords. A password manager will require significant training and on-boarding, as well as on-going support. 9/12
I fear that a paper based solution may be the best way to help them make a meaningful change that they can understand and actually use. 10/12
And MFA... How to get MFA worked into their process affordably and safely, without the risk of locking themselves out of everything? 11/12
It is heartbreaking, and we have a long way to go as an industry. 12/12
You can follow @AccidentalCISO.
Tip: mention @twtextapp on a Twitter thread with the keyword “unroll” to get a link to it.

Latest Threads Unrolled:
Those who think consciousness raising & movement building are disconnected, or even a distraction from electoral politics have not paid attention to the history of social change.In this thread, we
Read more
The 2020s will be known as the Remote Work decadeA few predictions of what is likely to emerge[ a thread ] Third Space: Office and Working from Home will
Read more
1/29: Have you ever had a concept explained to you that helps frame complex issues you’ve been wrestling with and opens your eyes to new possibilities? A concept that I
Read more
By continuing to use the site, you are consenting to the use of cookies as explained in our Cookie Policy to improve your experience.