NIST have published the 800-63 Standards "Digital Identity Guidelines" and with it have updated various standards of identify management.
I'm still to go through it all (boring maybe, but useful for my job).
Among some of the changes are passwords, they now recommend (mandatory) a minimum of 8 characters. they may impose a check on known lists and ask for a different password (e.g. use of a password on a password list) but should not impose any other requirements. this includes things like password expiry policies, "complex" passwords mandating the use of multiple character types.
They should also allow a minimum of 64 characters (truncation is not allowed) and allow any type of character (including for example unicode)
password hints are not allowed.
Among many other things.
Don't know about anyone else, but its good to finally see password expiry being removed as a mandatory requirement in standards. Now just need to convince everyone its a good idea to follow it sooner than later.
Password expiry is a unique pain in the ass for me because I don't have an AD connected windows machine.
This means when my AD password expires (which I get no warning of) I have to make a helpdesk ticket and one of the techs (who work for me) has to reset my password so I can continue to receive emails.
The AD account is the only one with an expiry timeout (90 days seems a bit excessive tbh)
All it makes me do is use a password manager, but when it comes to other employees, I see sticky notes on monitors way too much for a company that prides itself in security. Anyone who gets a tour of the office could easily steal full credentials of half the office.
The creation of weak passwords is the major thing in my industry. We, by necessity, have internal portals on public IPs because a lot of people do field work where VPN is not an option. Weak passwords on these sites only serve to undermine our corporate secrets and it annoys the hell out of me.
2FA is really the only decent option for security these days that doesn't inconvenience the end user too much.
I've heard of the new standard as well and I was super happy when I read that there is finally an official standard for what was my sense of security all along. Without this, it's practically impossible to convince people in the position to change this and with this it might finally be possible.
I can only agree. However, I've met (rather tech-savvy) people before who don't want to use it, because they say it's not necessary for them, since they have a password-manager that they only use at home and they don't log into any site outside of their home (go figure).
Anyways, I need to forward that NIST site to my local admin
That's fair. I definitely have to plea guilty to this in some situations. I have a password manager, just because on any given day, I'm using 30 different services. It's just too much for me to keep track of
My boss used to have lastpass. I managed to get him switched to this one.
I did this as soon as I saw this thread. We just had a SOX audit and they weren't happy with our 180 day expiry and forced us to switch to 90. My boss (CTO) is now on a righteous crusade to get rid of password expiry and complexity requirements.
Basically, yeah. Install the addon or use the web-ui. The addon will auto-fill login forms and will auto-detect logins and ask if you want to add an account.
Password expiration only works in military setting when you are required/forced to memorize alpha-numeric sequences.
IRL it just trains people to make weaker derivative passwords.
In my IT experience, 90% of a company will have their password use either the date, the company's name, or a variation of the default password IT gives out.
At my job, We do not allow anythin similar to last 3 passwords. Some older employees call in and d password +1. These employess do not have access to critical data so it's ok i guess...
I do not agree. Passwords expiring is good in my experience.
You guys use OWA? You can change your password from there now...
Social engineering black hats would have field day
There's always a way around it. When you enforce complex password rules and enforce unreasonable password expiry what you end up with is this.
CompanyMonthYYYY or a similar variation of. It's completely bypasses your security checks while still being completely insecure. But it's easy to remember when your company keeps making you change passwords.
I've never heard of people using CompanyMonthYYYY, That may sound crazy... Atleast at my job they don't. They do go for Wife/Mother maiden name, favorite Sports team and SS# which is worse