Security Expert Bruce Schneier On Passwords, Privacy and Trust

Ryan Dube 20-03-2014

In today’s interconnected world, all it takes is one security mistake to make your whole world come crashing down. Who better to turn to for advice than security expert Bruce Schneier?


If you have even a passing interest in security matters Red Alert: 10 Computer Security Blogs You Should Follow Today Security is a crucial part of computing, and you should strive to educate yourself and stay current. You'll want to check out these ten security blogs and the security experts who write them. Read More , then you’ve surely come across the writings of Bruce Schneier, a world-renowned security guru who has served on numerous government committees, testified before Congress, and is the author of 12 books on security issues so far, as well as countless essays and academic papers.

After hearing about Schneier’s newest book, Carry On: Sound Advice from Schneier on Security, we decided that it was about time to reach out to Bruce to get some sound advice concerning some of our own pressing privacy and security concerns.

Bruce Schneier – Sound Advice

In a global world filled with international digital espionage, malware and virus threats, and anonymous hackers around every corner – it can be a very scary place for anyone to navigate.

Have no fear – for we asked Bruce to provide us with some guidance about some of the most pressing security issues 5 Things We Learned About Online Security in 2013 Threats have become more complex and, worse, are now coming from places that most would never expect – like the government. Here are 5 hard lessons we learned about online security in 2013. Read More today.  After reading this interview, you’ll at least walk away with a greater awareness of what the threats really are, and what you can really do to protect yourself.

Understanding Security Theater

bruce-schneier1MUO:  As a consumer, how can I distinguish “security theater” from a genuinely secure app or service? (The term “security theater” was chosen from the term you coined in your past writings about how apps and services claim security as a selling point.)


Bruce: You can’t. In our specialized and technological society, you can’t tell good from bad products and services in a lot of areas. You can’t tell a structurally sound aircraft from an unsafe one. You can’t tell a good engineer from a charlatan. You can’t tell a good pharmaceutical product from snake oil. That’s okay, though. In our society, we trust others to make those determinations for us. We trust government licensing and certification programs. We trust reviewing organizations like Consumers Union. We trust the recommendations of our friends and colleagues. We trust experts Stay Safe Online: Follow 10 Computer Security Experts On Twitter There are simple steps you can take to protect yourself online. Using a firewall and antivirus software, creating secure passwords, not leaving your devices unattended; these are all absolute musts. Beyond that it comes down... Read More .

Security is no different. Because we can’t tell a secure app or IT service from an insecure one, we have to rely on other signals. Of course, IT security is so complicated and fast-moving that those signals routinely fail us. But that’s theory. We decide who we trust, and then we accept the consequences of that trust.

The trick is to create good mechanisms of trust.

DIY Security Audits?

carry-onMUO:  What is a “code audit” or a “security audit” and how does it work? was open-source, which made some people feel it was secure, but it turned out nobody audited it. How can I find these audits? Are there ways I could audit my own day-to-day use of tools, to make sure I am using stuff that really protects me?


Bruce: An audit means what you think it means: someone else looked at it, and pronounced it good. (Or, at least, found the bad parts and told someone to fix them.)

The next questions are also obvious: who audited it, how extensive was the audit, and why should you trust them? If you’ve ever had a home inspection when you bought a house, you understand the issues. In software, good security audits are comprehensive and expensive and — in the end — no guarantee that the software is secure.

Audits can only find problems; they can never prove the absence of problems. You can definitely audit your own software tools, assuming you have the requisite knowledge and experience, access to the software code, and the time. It’s just like being your own doctor or attorney. But I don’t recommend it.

Just Fly Under the Radar?

MUO: There is also this idea that if you use such highly secure services or precautions, you’re somehow acting suspicious. If that idea has merit, should we focus less on more secure services, and instead try to fly under the radar? How would we do that? What kind of behavior is considered suspicious, i.e. what gets you a minority report? What’s the best tactic to “lay low”?



Bruce: The problem with the notion of flying under the radar, or lying low, is that it’s based on pre-computer notions of the difficulty in noticing someone. When people were the ones doing the watching, it made sense not to attract their attention.

But computers are different. They aren’t limited by human notions of attention; they can watch everyone at the same time. So while it may be true that using encryption is something the NSA takes special note of, not using it doesn’t mean you’ll be noticed less. The best defense is to use secure services, even if it might be a red flag. Think of it this way: you’re providing cover for those who need encryption to stay alive.

Privacy and Cryptography

MUO: Vint Cerf said that privacy is a modern anomaly, and that we don’t have a reasonable expectation for privacy in the future. Do you agree with this? Is privacy a modern illusion/anomaly?


Bruce: Of course not. Privacy is a fundamental human need, and something that’s very real. We will have a need for privacy in our societies as long as they’re made up of people.

MUO: Would you say that we as a society have become complacent concerning data cryptography?

Bruce: Certainly we as designers and builders of IT services have become complacent about cryptography, and data security in general. We have built an Internet that is vulnerable to mass surveillance, not just by the NSA but by every other national intelligence organization on the planet, large corporations, and cybercriminals. We have done this for a variety of reasons, ranging from “it’s easier that way” to “we like getting things for free on the Internet.” But we’re starting to realize that the price we’re paying is actually pretty high, so hopefully we’ll make an effort to change things.

Improving Your Security and Privacy

MUO: What form/combination of passwords/authorization do you consider the most secure? What “best practices” would you recommend for creating an alphanumeric password?

Bruce: I wrote about this recently. The details are worth reading.

Author’s Note: The linked article eventually describes the “Schneier Scheme” that works for choosing secure passwords 13 Ways to Make Up Passwords That Are Secure and Memorable Want to know how to make up a secure password? These creative password ideas will help you create strong, memorable passwords. Read More , actually quoted from his own 2008 article on the subject.

“My advice is to take a sentence and turn it into a password. Something like ‘This little piggy went to market’ might become ‘tlpWENT2m’. That nine-character password won’t be in anyone’s dictionary. Of course, don’t use this one, because I’ve written about it. Choose your own sentence—something personal.”

MUO: How can the average user best deal/cope with the news that their account with a world-famous website, bank or multinational company has been compromised (I’m talking about data breaches of the Adobe/LinkedIn type here, rather than a single bank account breached through card fraud)? Should they move their business? What do you think it will take to underline to IT/data security departments that immediate, full disclosure is the best PR?

Bruce: This brings us back to the first question. There’s not a lot we as customers can do about the security of our data when it’s in other organizations’ hands. We simply have to trust that they’re going to secure our data. And when they don’t — when there’s a large security breach — our only possible response is to move our data somewhere else.

But 1) we don’t know who is more secure, and 2) we have no guarantee that our data will be erased when we move. The only real solution here is regulation. Like so many areas where we don’t have the expertise to evaluate, and are required to trust, we expect the government to step in and provide a trustworthy process that we can rely on.

In IT, it will take legislation to ensure that companies secure our data adequately and inform us when there are security breaches.


It goes without saying that it was an honor to sit out and (virtually) discuss these issues with Bruce Schneier. If you’re looking for even more insight from Bruce, by all means make sure to check out his latest book, Carry On, which promises Bruce’s take on important security issues today like the Boston Marathon bombing, NSA surveillance and Chinese cyber-attacks. You can also get regular doses of Bruce’s insight at his blog.

As you can tell from the answers above, staying secure in an insecure world isn’t exactly easy, but using the right tools, carefully choosing what businesses and services you decide to “trust”, and using common sense with your passwords is a very good start.

Related topics: Online Security, Password.

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. dragonmouth
    July 1, 2014 at 7:52 pm

    " We trust experts."
    As the popular saying goes "In God we trust, all others pay cash." There is too many bogus "experts" running around to implicitly trust any one of them. In the area of IT security we all can name dozens of apps, services and "experts" the purpose of which is diametrically opposed to what they claim. Not to impugn Mr. Schneier's reputation, abilities and accomplishments but in some areas I find him to be a naive Pollyanna.

    "Privacy is a fundamental human need"
    Illusion of privacy does just as well. All we need is to feel that we have privacy.

  2. Ken Harthun
    March 26, 2014 at 5:32 pm

    Being a security wonk myself, I seldom disagree with any of Mr. Schneier's advice. In this case, however I strongly disagree that, as he says, "The only real solution here is regulation." If there is one organization that I NEVER trust, it's the government; I believe that they have adequately betrayed our trust enough that I'm quite justified in my opinion.

    Here's what regulation would do: Penalize corporations for "insecurity." Data breach = corporation fined = cost passed on to consumers = higher fees/prices for goods and/or services. Security doesn't necessarily improve. It's already obvious that most huge financial firms, like banks, just eat the losses and pass on the costs to us. More regulation = more costs = higher prices. No one wins.

    I wish I had the answers, but I don't. I just know that involving incompetent (I'm being kind) legislators isn't the solution.

  3. Godel
    March 21, 2014 at 8:25 pm

    Don't make up your own passwords, use a password manager with a password generator. Possible exceptions, the master password for your password manager, and your online web email accounts, in which case use something like Bruce's suggestions, but make them personally memorable. With a random-style password, 10 characters and up is probably a safe length, although I use 12 to 16 characters these days.

    Having selected a password manager, MAKE BACKUPS, LOTS OF BACKUPS, to offline storage, and maybe the cloud. Because the password databases are encrypted, it should be safe to publish them anywhere, if you've chosen a decent password.