What are some counter-productive security practices?

Question

I thought I damaged my phone recently, and tried to turn off 2FA on my password manager to get into the vault on my laptop. It didn&rsquo;t let me, I think because my former employer required admins to approve it. So I couldn&rsquo;t get into my password manager. I managed to fix the phone but the codes didn&rsquo;t work now.I spent the night copying my passwords into Gmail from my phone app (bad for security).A support request got 2FA disabled and I got into my vault, but I won&rsquo;t be turning it on again (bad for security). I&rsquo;ll also be exporting my passwords.An ostensibly good idea (make company admins approve turning off 2FA) has resulted in less security. I can imagine employees having a single bad experience and then swearing off password managers.What are other examples of &ldquo;smart&rdquo; ideas that actually reduce security?

ggeorgovassilis · Accepted Answer

Multi-factor authentication which resides on the same device, eg. the mobile banking app authenticating with an SMS to the same phone it is running on.
Overly complex password policies which lead to people writing passwords down in unsafe places.
Password expiration.
RBAC with unsensible defaults which leads to everyone having admin access.
Not running security drills: when people always follow the happy path they never practice the procedures for eg. getting back access after losing their phone.

bediger4000 · Answer

Requiring long,"high entropy" passwords to be typed blind. Dots for password characters might have had a reason for existing when people used a large, wide viewing angle monitor. On a small LCD screen like a smartphone, the dots don't make a difference except to hide at least 8 characters with a number, upper and lower cases, and at least 1 special charter not including "' or > from the user as they type on a smartphone keyboard where a fingertip covers 2-3 keys.What a farcical time waster.

apohn · Answer

At my last job we had the following.1.Active directory password expires every 60 days2.Extremely crazy requirements around the AD password3.Only place you can change password is using the Windows login screen4.No easy place to lookup the password requirements because the IT Intranet site was a completely mess and Windows login only says "Password doesn't meet requirements"5.Bitlocker password required on laptop6.2FA via a PKI card7.Requirements for Bitlocker, PKI, and AD password were all different.8.Extremely convoluted process to reset your password, usually resulting in a call to the IT help lineThis is the only job in my life where I ended up writing down my passwords on paper because my passwords were always some crazy nonsense I couldn't remember. I know I wasn't the only one as I saw people with post-its on there laptop with their passwords.This was a large software company. The whole process was just stupid. If you have a terrible process people will have no choice but to find a way to work around it.

jstx1 · Answer

Companies requiring their employees to change passwords every 3 months.

ackatz · Answer

Punishing end users with security training when they successfully spot and report the company's phishing campaign e-mail.

josephcsible · Answer

Putting autocomplete=off on login forms, or otherwise attempting to break password autofill.Breaking all outgoing TLS.