While the article has some good points, I also have a number of issues with it.
- Don't worry about proper password storage until you are at 4-10 employees and have a prototype out the door? No, proper password storage is one of those things you deal with at the very beginning.
- Not worrying about a password safe until 11-30 employees? Using something like keepass, lastpass, etc, is trivial and should be started from day one as well. Your developers should already be in the habit of using one anyway.
- There should be decent password-locking screensavers on all computers. That way a smash-and-grab computer theft only amounts to a $1,500 asset loss, no critical data loss. There is nothing here about hard drive encryption, so a password locking screensaver is going to do nothing to prevent loss of sensitive data in a smash and grab.
I also dislike this attitude, mentioned in the 1-3 employees stage:
And from a security standpoint, you shouldn’t be doing very much.
In our industry, we keep on complaining about horribly poor security practices all over the internet. Attitudes like that just persist the poor state of affairs.
I think the author is primarily making an argument that everything scales, including focus on security. Overall I agree with your issues (obviously as I run a password & account management company) though perhaps a lot of this is due to the fact that some of the tools are not that user-friendly. A lot of our customers at Meldium are enthused when they find that non-technical employees enjoy the benefits of a password manager that offers simple automatic sign-in.
I'm not sure even encryption helps if you only have a locking screensaver. Both TB and FW devices have DMA so if somebody really wants to get in then the password-protected screensaver lock isn't going to stop anyone (given that the encrypted volumes are mounted).
I suspect that's a different threat though – at least to me, "smash and grab" implies opportunistic steal-laptop-from-car-and-fence-in-nearest-bar type problems. If you've "lost" a laptop to people capable of and interested in probing your firewire port for in-memory passphrases, you've got a whole other level of attacker. (A level of attacker against which I suspect _most_ startups can't and won't attempt to defend themselves against.)
- Don't worry about proper password storage until you are at 4-10 employees and have a prototype out the door? No, proper password storage is one of those things you deal with at the very beginning.
- Not worrying about a password safe until 11-30 employees? Using something like keepass, lastpass, etc, is trivial and should be started from day one as well. Your developers should already be in the habit of using one anyway.
- There should be decent password-locking screensavers on all computers. That way a smash-and-grab computer theft only amounts to a $1,500 asset loss, no critical data loss. There is nothing here about hard drive encryption, so a password locking screensaver is going to do nothing to prevent loss of sensitive data in a smash and grab.
I also dislike this attitude, mentioned in the 1-3 employees stage:
And from a security standpoint, you shouldn’t be doing very much.
In our industry, we keep on complaining about horribly poor security practices all over the internet. Attitudes like that just persist the poor state of affairs.