Image: Santeri Viinamäki [CC BY-SA 4.0], via Wikimedia Commons
Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation.
Microsoft is the latest enterprise to get on board with this idea, calling the concept of monthly/bimonthly/quarterly password changes "ancient and obsolete".
To this day, password management remains the least-loved aspect of my job as a SysAdmin. In a world of password managers two-factor authentication, and complex "suggested passwords" by browsers, asking users to change passwords frequently is the one task that virtually guarantees a support request. Why? The password is used on multiple devices, or the forced change came at a time where the user had to write it down, or other inconvenience that, in practice, seems only to complicate the security process, rather than actually improve it in any meaningful way.
The same researchers have warned that mandating password changes every 30, 60, or 90 days—or any other period—can be harmful for a host of reasons. Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on. At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy.
Besides, as Cory has mentioned, two-factor authentication and security keys are quickly showing us how much of a "game-changer" these tools can really be, offering real defence against both past and present security attacks. Nevertheless, this practice remains common in many IT departments. It's time to let it go.
Microsoft says mandatory password changing is “ancient and obsolete” [Ars Technica]
Many large-scale data-breaches involve attackers gaining access to administrators' database logins; from there, they can clone the whole database and plunder it at will; but leading nosql database vendor Mongodb proposes to add another layer of security it's calling "Field Level Encryption" which encrypts the data in database fields with its own key -- possibly […]
Stalkerware -- spyware sold to people as a means of keeping tabs on their romantic partners, kids, employees, etc -- is a dumpster fire of terrible security (compounded by absentee management), sleazy business practices, and gross marketing targeted at abusive men who want to spy on women.
I recently wrote about how much I enjoyed testing the OnePlus 7 Pro. One of the nicer things about it was the fact that its in-display fingerprint reader, unlike the one in the last-gen OnePlus handset, works in a timely manner. Too bad that, no matter how quickly it can read a fingerprint, it still […]
Even if you feel like AirPods are worth the price tag, you’ve got to admit there’s a certain anxiety that comes with using them. What if I lose them? What if they get wet in the rain? Or drenched in sweat? Or fall into the drink you dropped them into? Shiny tech is great, but […]
With the quick-fix appeal of video games and their own cell phones, it can be tough to keep kids focused on supposedly “educational” toys. And while it may seem counter-intuitive to fight tech with more tech, we’re all in when it comes to the Toybox 3D Printer. We’re not sure if anyone had envisioned a […]
Whether you’re an artist, designer or just organizing a photo album, photo editing software is a must. And software designers know it: Platforms like Photoshop and Lightroom have a ton of helpful features, but you’ll pay for them in spades. Luckily, there’s some competition in the photo editing arena. Right now, Skylum’s Luminar software is […]