I taught high-school computer science. I taught about how the internet works, password security, encryption as well as programming.
I once had a lad declare that GitHub was stupid, because it locked out our IP for 5 minutes after the class tried to login to their accounts with at least half of them forgetting the strong passwords I insisted they use.
I watched a girl log into her vps by running her finger across the top row of her keyboard. When I insisted she change her password, she ran her finger across the keyboard in the opposite direction.
Many people know and understand basic security, they just don't care. They think they have nothing of worth losing, and so don't need to be secure. Even after I explained to the student that their vps could be used to mine bitcoin, fetch pornographic material or send out phishing emails, their attitude was very much - meh!
I'm all for educating people on these issues, but the true way to protect them from their own stupidity is to ensure that it is impossible for them to start up a vnc server without enforcing a strong password. Security by design will be even more important as iot becomes more prevalent.
tl;dr - You can't rely on users to protect themselves.
> I'm all for educating people on these issues, but the true way to protect them from their own stupidity is to ensure that it is impossible for them to start up a vnc server without enforcing a strong password.
What is a 'strong password'? Minimum 12 characters, 2 symbols, 2 caps, 2 lower case? "1!qQaAzX2@wWsSxX" fits (and exceeds) those requirements.
Trying to enforce strong passwords doesn't work; people just make up new insecure passwords.
I once had a lad declare that GitHub was stupid, because it locked out our IP for 5 minutes after the class tried to login to their accounts with at least half of them forgetting the strong passwords I insisted they use.
I watched a girl log into her vps by running her finger across the top row of her keyboard. When I insisted she change her password, she ran her finger across the keyboard in the opposite direction.
Many people know and understand basic security, they just don't care. They think they have nothing of worth losing, and so don't need to be secure. Even after I explained to the student that their vps could be used to mine bitcoin, fetch pornographic material or send out phishing emails, their attitude was very much - meh!
I'm all for educating people on these issues, but the true way to protect them from their own stupidity is to ensure that it is impossible for them to start up a vnc server without enforcing a strong password. Security by design will be even more important as iot becomes more prevalent.
tl;dr - You can't rely on users to protect themselves.