The trouble with publishing best practices is it’s a blueprint for how to break in, like publishing a map to your house with all the locks and cameras labelled. If you establish that 2 factor authentication is required, with SHA256 encryption and passwords at least 16 characters, numbers, upper and lower case, and special characters, changed every six months, then the hackers know what they need. They need to spoof someone’s cell phone, they know how long it takes to decrypt sha256, and they know if your password was FuckingBullsh1tsecurity!3 two years ago, it’s probably FuckingBullsh1tsecurity!7 today.
Sorry but that’s not how computing best practices and computer security work. We’re far beyond “security through obscurity”. Security now works on encryption schemes which are highly publicized and vetted by multiple parties. That goes in combination with protecting through policy like access controls, endpoint protection and monitoring, and security training.
The trouble with publishing best practices is it’s a blueprint for how to break in, like publishing a map to your house with all the locks and cameras labelled. If you establish that 2 factor authentication is required, with SHA256 encryption and passwords at least 16 characters, numbers, upper and lower case, and special characters, changed every six months, then the hackers know what they need. They need to spoof someone’s cell phone, they know how long it takes to decrypt sha256, and they know if your password was FuckingBullsh1tsecurity!3 two years ago, it’s probably FuckingBullsh1tsecurity!7 today.
Sorry but that’s not how computing best practices and computer security work. We’re far beyond “security through obscurity”. Security now works on encryption schemes which are highly publicized and vetted by multiple parties. That goes in combination with protecting through policy like access controls, endpoint protection and monitoring, and security training.