Image: Santeri Viinamäki [CC BY-SA 4.0], via Wikimedia Commons
Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation.
Microsoft is the latest enterprise to get on board with this idea, calling the concept of monthly/bimonthly/quarterly password changes "ancient and obsolete".
To this day, password management remains the least-loved aspect of my job as a SysAdmin. In a world of password managers two-factor authentication, and complex "suggested passwords" by browsers, asking users to change passwords frequently is the one task that virtually guarantees a support request. Why? The password is used on multiple devices, or the forced change came at a time where the user had to write it down, or other inconvenience that, in practice, seems only to complicate the security process, rather than actually improve it in any meaningful way.
The same researchers have warned that mandating password changes every 30, 60, or 90 days—or any other period—can be harmful for a host of reasons. Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on. At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy.
Besides, as Cory has mentioned, two-factor authentication and security keys are quickly showing us how much of a "game-changer" these tools can really be, offering real defence against both past and present security attacks. Nevertheless, this practice remains common in many IT departments. It's time to let it go.
Microsoft says mandatory password changing is “ancient and obsolete” [Ars Technica]
Unsealed court documents reveal the identity of Fxmsp, a hacker from Kazakhstan who is blamed for information theft from more than 300 companies and governments, in 44 different countries around the world.
The United States Internal Revenue Service says it purchased access to a marketing database that offers location data for millions of US cellphones, so the IRS can identify and track persons suspected of tax-related crimes.
Following the discovery and prompting of a security researcher at Awake Security, Google says it has removed 106 malicious Chrome extensions that had 32 million downloads, and which were gathering browsing history and sensitive credentials from users.
The notion of two people sleeping in the same bed always inspires romantic visions of love and intimacy. However, most quickly realize that the romance of sleeping together is often quickly replaced by the realities of the act. One partner snores. The other talks in their sleep. One grinds their teeth. The other hogs the […]
Add Internet of Things to the shortlist of those actually benefiting from the effects of the COVID-19 pandemic. You might not realize it, but the organizing principle that is bringing more automation to the world is actually proving to be a major asset as human beings are forced to stay home and away from the […]
We’ve all had those nights where we’re working on a laptop or scrolling through our phone before glancing at the time to find it’s actually a lot later than we thought. Most nights, you’d be fast asleep or at least dead tired at midnight or 1 or 3 a.m. But after staring at a screen, […]