Password-expiration-is-dead-long-live-your-password
I still think passwords have a place in IT but with two factor authentication such as www.duo.com this obsession with changing passwords and having users writing them down or storing in the likes of KeePass needs to end; just let the user remember a decent password and go with what Microsoft are saying.
"Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives … If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
…If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration? …Periodic password expiration is an ancient and obsolete mitigation of very low value."
No comments:
Post a Comment