Image: Santeri Viinamäki [CC BY-SA 4.0], via Wikimedia Commons
Ars Technica outlines the case for a policy that might sound counter-intuitive at first: not forcing password rotation.
Microsoft is the latest enterprise to get on board with this idea, calling the concept of monthly/bimonthly/quarterly password changes "ancient and obsolete".
To this day, password management remains the least-loved aspect of my job as a SysAdmin. In a world of password managers two-factor authentication, and complex "suggested passwords" by browsers, asking users to change passwords frequently is the one task that virtually guarantees a support request. Why? The password is used on multiple devices, or the forced change came at a time where the user had to write it down, or other inconvenience that, in practice, seems only to complicate the security process, rather than actually improve it in any meaningful way.
The same researchers have warned that mandating password changes every 30, 60, or 90 days—or any other period—can be harmful for a host of reasons. Chief among them, the requirements encourage end users to choose weaker passwords than they otherwise would. A password that had been “P@$$w0rd1” becomes “P@$$w0rd2” and so on. At the same time, the mandatory changes provide little security benefit, since passwords should be changed immediately in the event of a real breach rather than after a set amount of time prescribed by a policy.
Besides, as Cory has mentioned, two-factor authentication and security keys are quickly showing us how much of a "game-changer" these tools can really be, offering real defence against both past and present security attacks. Nevertheless, this practice remains common in many IT departments. It's time to let it go.
Microsoft says mandatory password changing is “ancient and obsolete” [Ars Technica]
Wired has published another long excerpt from Sandworm, reporter Andy Greenberg's (previously) forthcoming book on the advanced Russian hacking team who took the US-Israeli Stuxnet program to the next level, attacking Ukrainian power infrastructure, literally blowing up key components of the country's power grid by attacking the embedded code in their microcontrollers.
For decades, it was a commonplace in western business that no one could afford to ignore China: whatever problems a CEO might have with China's human rights record could never outweigh the profits to be had by targeting the growing Chinese middle-class.
A little over a year ago, Bloomberg stunned the world with a report that claimed that Chinese intelligence services had figured out how to put undetectable, rice-grain-sized hardware implants into servers headed for the biggest US cloud and enterprise IT firms, and that when some of the victims discovered this fact, they quietly ripped out […]
People tend to keep luggage around for a long time. And why not? New suitcases are pricey, and no matter how banged up or patched up that old bag gets, it still holds your clothes. Right? Maybe not. Here are 15 travel bags and accessories that make a strong case for upgrading your gear. They’ve […]
Do you own a Mac? Unless you’re using it for a paperweight, you almost can’t afford not to get the Magnificent Mac Bundle. It’s a roundup of some truly essential security and file management apps, bundled up with great photo and video enhancers. The best part is that all nine apps are potentially available for […]
As much as vaping has taken over the market during the last decade, there’s still a lot of questions about the technology, as well as health concerns that we’re just now finding out about. One thing you can say about smoking: You know exactly what you’re getting, especially when it comes to pipes that you […]