[gumby]

> and I know for a fact 90% of the sites I personally sign up to online also follow that same process.

This is a totally legit response. After all if something goes wrong they must have followed "best practices". No reasonable person would expect them to do more.

And it's true (if you only consider the needs of the business). This is a solid strategy for getting lawsuits dismissed. I've seen it in physical security too [+]. It only took one investment bank to put badge-checking turnstiles in place and then they all had to do it. That stuck with banks only for a while until one more conventional business did it...and now I was at Twitch the other day and they have it.

Of course who's missing here is the customer. But the customer's needs aren't paramount: the business's are -- and more specifically the manager who has to spend the money on security. If they have put in just enough that they won't get fired when it fucks up, and if they saved money and effort in the process: WIN!

[+] my favorite physical security story is old, so at the end: when leaving Intel's Santa Clara fab in the 1990s you would have to hand over your briefcase for inspection to make sure you weren't leaving with any Intel documents. They didn't care if you had floppy disks. Why? Because this was a defense against shareholder lawsuits and "what else could the guards do?" This is where I learned the explanation above: once anyone in the industry increased plant security they all would have to, which nobody wanted. So LCD was the name of the game.

[oblio]

1. Are you for or against badge-checking turnstiles? I can't quite say for sure.

2. LCD = lowest common denominator in this case?

[gumby]

2. indeed.

1. I don't really give a shit either way when I encounter one but as a businessman I am against them as something I should have to pay for. My points were twofold:

A> there's a games theory/cartel issue around "best practices", and you basically have no liability if you provide the "standard of care". This is true in security practices, medicine, etc.

And B> there is often an incentive mismatch between the implementor of a process and those subject to it which biases aggressively down or up, against gradualism. The most visible extreme is TSA in which the risk of letting a shoe bomber is extremely high (i.e. the decision maker would lose their job if it actually happened) while the cost is borne by all the miserable travelers who, realistically, fare essentially epsilon risk of actually encountering such a device.

[smitherfield]

With regards to your point B, I'm happy to remove my shoes if it reduces my chances of being killed in a terror attack from (making up numbers) 1/1M to 1/1.05M. It's just that it's unclear whether the TSA's screening methods are effective, and/or optimally-effective, and/or optimally-effective while minimizing passenger inconvenience. (They're probably at least somewhat effective, at least as a psychological deterrent, seeing as there hasn't been a successful terror attack on a US airplane since 9/11).

[jedberg]

Correlation does not equal causation. There also have been no successful terror attacks on a US airplane since they 1) Implemented reinforced cockpit doors, 2) stopped allowing people to line up for the forward bathroom, 3) added air marshals to the planes, 4) implemented TSA pre-check.

So we have no idea, if any of these, has actually improved security. It's possible that just no one has tried since 9/11 because there was no reason to.

[smitherfield]

And "probably" doesn't equal "certainly." It's certainly within the realm of possibility the TSA's screening methods are ineffective.[1] But given the 16-year perfect record[2] in preventing not only hijackings but also bombings (which cockpit doors, air marshals and bathroom line policies are powerless to prevent), it's only reasonable to say their methods probably have some effectiveness to them, which (repeating myself here) is not to say they're the best possible screening methods. And there are most certainly people who think there's "reason to" attack US airplanes, hence the foiled incidents (shoe bomber, liquid bomb plot, underwear bomber) that engendered the more annoying TSA screening policies.

[1] Although I'd say the more likely problem is that the personnel doing the screenings may be ineffective, rather than the fairly-standard-worldwide screening methods they use.

[2] Which in all honesty is quite impressive. Immediately after 9/11 I'd never have guessed we'd go 16 years not only without another 9/11-scale attack, but no attacks on airplanes at all. It's not yet as good as Israeli airport security's 41-year perfect record, but it's nothing to sneeze at.

[IshKebab]

> This is a totally legit response.

Apart from the fact that it is totally untrue?

[gumby]

Who knows if it's untrue? Although it almost certainly is. What's "legit" is the point "lots of other people do it so why should I go to any greater effort? And anyway I don't actually give a shit about my employer's customers."

(I was being sarcastic about "legit" -- it's only legit from the selfish POV of the web admin)

[jonahx]

Your point is a good one. I think "unfortunate but game-theoretically predictable" would have conveyed it with less confusion.

[gumby]

Sorry, I grew up in a culture in which being so explicit was rude, while being barely-elliptically witty is the normal mode of discourse. I sometimes forget.

[optimuspaul]

We don't know what sites they have signed up for. It could be true.

[schwede]

But is it that much harder to provide a unique and expiring reset link in the email instead of sending a new password?