Honestly, we can't let basic security turn into an arms race.
It's getting harder and harder to maintain good password practice. Part of good security also needs to involve proactively going after the criminals.
Anyone willing to break a window can break into my home. Internet security needs to be the same way: Secure enough to keep the honest people honest, and government agencies need to track down the hackers and imprison them. We can't expect normal people to perfectly implement complicated security procedures all the time, nor can we have pervasive technology and only run it with the world's smartest and most perfect people.
Of course there needs to be consequences for thieves but that doesn't absolve people (particularly in critical infrastructure) from the responsibility to implement reasonable protections.
If everyone keeps their doors unlocked in town and hundreds of burglaries occur as a result, the police should do something about it, but they may not be staffed to go after everyone. At some point they're going to be telling people to lock their houses please.
"Password practice" is thankfully becoming less and less relevant as hardware security tokens become more widespread, affordable and reliable. IMO there's zero excuse for a critical infrastructure operator not to use 2FA at this point. Whatever the password policy is, people (consumers too) should really not use passwords as their last line of defense.
I seldom lock my house (or car). So I'm in the same boat. But, I live in a town (technically city) of 20 000. I have 30 neighbors. When I'm in New York City, I lock my car. The same goes for the Internet. It's Huge. I have billions of neighbors. So I lock my door. Even though my house is not national security infrastructure.
> Honestly, we can't let basic security turn into an arms race.
Are you implying that expecting an organization that manages critical infrastructure turning on 2FA and setting secure passwords is an arms race? Hell, if I was a local coffee shop, I'd still expect my employees to use 2FA and a password manager to log into company computer systems.
Harder than in the past. Look at it another way, some time in the past using just a password would have been considered 'good'. Now, using just a password is not considered 'good' in many domains, not my mum's computer. In the future any password of a complication that could be remembered might be considered not 'good' enough. Someone in the future would probably look back and say what we use now is not good. It was only a short time ago people considered a password and an SMS good enough for banking.
> Look at it another way, some time in the past using just a password would have been considered 'good'.
Maybe, if I'm generous, the 1960s?
> In the future any password of a complication that could be remembered might be considered not 'good' enough.
Human memorable secrets weren't "good enough" before and they aren't "good enough" now and they won't become "good enough" in the future. This is not a novel insight even if it's new to you.
> It was only a short time ago people considered a password and an SMS good enough for banking.
Not "people", banks. Go back and look, the people who care about security would have told you SMS "second factor" isn't a good idea back then too, but the banks weren't looking for actual security, they wanted to reassure regulators and customers that they were on top of this.
It's that emotional support versus engineering viewpoint. The banks offered emotional support. Don't fret, we care about security and we'll make everything OK. Outfits like Google took the engineering viewpoint. Understand problem, identify solution, deploy it. U2F => WebAuthn. Emotional support is great when your dog died, while engineering is a poor substitute. But if a bridge fell down the emotional support rings a bit hollow, engineers can ensure the next bridge doesn't do that. I say user authentication is a "Bridge fell down" problem not a "My dog died" problem.
It's getting harder and harder to maintain good password practice. Part of good security also needs to involve proactively going after the criminals.
Anyone willing to break a window can break into my home. Internet security needs to be the same way: Secure enough to keep the honest people honest, and government agencies need to track down the hackers and imprison them. We can't expect normal people to perfectly implement complicated security procedures all the time, nor can we have pervasive technology and only run it with the world's smartest and most perfect people.