Is it safe to share your password security plan with others?

There is always some risk involved because your method might have some flaws, and if an attacker can easily know all the details of your implementation then, of course, they have an advantage. To reduce the risk, some obscurity is sometimes used as an extra layer of protection in case something goes wrong, and as a deterrent. Here are a few points you can consider to evaluate the risk:

  • Who are you going to show your plan to? Friends? Coworkers? Security auditors? Haxxor forumz? The whole internet via social media?
  • What advantages do you get if you show somebody your plans? Are you going to get valuable opinions? Do you really need more opinions? What is your goal when you publish your method? Would you like it to become a widely recognized standard or common best practice?
  • How confident are you that your plan is already good enough? Are you aware of the current best practices? Have you tried to follow them?
  • How flexible is your system? Is it already in use? Is it still in the design stage and could be modified relatively easily? Or is it hard to change anything in the process?
  • Who are your enemies are what assets are you protecting? If the potential damage is severe and the probability of advanced attacks is high, then, of course, you will need to be more careful.

Answering those questions might help you figure out if it's worth sharing information with other people, and if you are increasing the risk or reducing it. So for example, if you are unsure about your practices, you'd better share your methods before you start to use them, to hear opinions from trusted experts (for example asking about your methods in this community). But if you are part of a team of security experts that works for the government, maybe you'd better shut up instead of publicly twitting about every detail of every security control your agency is using.

OPSEC best practices can be summarized as "shut up unless you really need to speak". In your case, it's probably OK to share your method with your friend, to help them improve their security. But posting that information publicly on Facebook would be bad OPSEC, no matter how secure your method really is.


Your reasoning is solid. A bit like a good encryption algorithm, knowing the process (inc the code) will not be sufficient to break it.

If the process is secure and you are able to maintain the keying aspects secure and under your control, I don't see sharing the process as being unsafe.

As a parallel argument, there's scope to have a recovery process from a 3rd party, in case of incapacitation or death (sadly a reality in the world). For this, a document like the one you referred to is critical, then you'd need to find a secure way to distribute keying material to trusted 3rd parties.

Tags:

Passwords

Password Policy

Related

Is there no way to bypass certificate pinning without patching apps? Aren't keyfiles defeating the purpose of encryption? Is it possible for a name server provider to hijack MX records? How does password reset work if 2FA is enabled? What is the attack scenario against which encrypted files provide protection? How to interpret virustotal, virusscan scan? Risks of Long-life Session Is it possible to store / record HTTPS client auth traffic as a signed document? Does the saying "physical access = game over" apply to smartphones, too? Where to store private and public keys? As a company, how can we prevent penetration testers from compromising our system? After changing Microsoft password, one can still login to previously authenticated Windows devices with old password indefinitely. Why?

Recent Posts