Out of the box Use common sense on cyber security
Many of the rules on cyber security are excessive and impratically. They cause more harm than benefits. 

Examples are:

a) Use strong password
b) Change the password regularly
c) Cannot use an old password
d) Use different password for different websites
e) Use 2FA authentication.

The biggest mistake of these cyber security experts is - they do not distinguish between what is important and what is not. 

Some transactions are important and need to be authenticated. They require high security for authentication. 

Most websites do not require a high level of security. They can be hacked, but the hackers will not gain any financial benefit from the hack. They will not bother. 

Examples are website that provide information. They may ask for a user ID to gather the relevant information for the user. They are of no interest to a third party. 

The hacker may cause disruption by putting rubbish for the hacked user. But they are not harmful. 

I consider access to the email account to be low risk. I agree that the hacker can hack into the account and read my past emails. It does not matter to me. The past emails are not important anyway.

The hacker can also send emails from my account and impersonate me. It does not matter also. The recipient should use discretion and not act on the fake email. 

Anyway, if the email account is hacked, it is quite easy for me to reset the password.

The current mess in cyber security protocols has caused a lot of pain and headache to ordinary users. They have to managed hundreds of passwords which have to specify to different "strong" requirements and have to keep the passwords in a separate file to keep track. The file can be hacked and expose all the passwords.

The cyber security experts should also consider the risk that the user will lose his mobile phone and cannot use it as a 2FA device to access his financial accounts. What are the remedial steps?

My suggestion to the cyber security experts is:

a) Allow simple, weak or common password to identify a user. 

b) For important transactions, the user should be asked to authenticate it by using a strong password and perhaps a 2FA as well.

c) Allow the user to decide on using strong passwords and to change it regularly, if they need it. This should be decided by each user according to his needs.

Each user should be allowed to register into an authentication website that can be used for all websites that require some transactions to be authenticated.

For example, in the case of Singapore, the government can manage this website and link it to SingPass.

 

Add Comment

---