Password expiration is dead, long live your passwords
Password expiration is dead, long live your passwords
May was a momentous month, which marked a victory for sanity and pragmatism over irrational paranoia. I’m obviously not talking about politics. I’m talking about Microsoft finally — finally! but credit to them for doing this nonetheless! — removing the password expiration policies from their Windows 10 security baseline.
Many enterprise-scale organizations (including TechCrunch’s owner Verizon) require their users to change their passwords regularly. This is a spectacularly counterproductive policy. To quote Microsoft:
Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives … If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
…If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration? …Periodic password expiration is an ancient and obsolete mitigation of very low value
If you have a password at such an organization, I recommend you send that blog post to its system administrators. They will ignore you at first, of course, because that’s what enterprise administrators do, and because information security (like transportation security) is too often an irrational one-way ratchet because our culture of fear incentivizes security theater rather than actual security — but they may grudgingly begin to accept that the world has moved on.
Instead: Use a password manager like LastPass or 1Password. (They have viable free tiers! You really have no excuse.) Use it to eliminate or at least minimize password re-use across sites. Use two-factor authentication wherever possible. Yes, even SMS two-factor authentication, despite number-porting and SS7 attacks, because it’s still better than one-factor authentication.
And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos. I’m the CTO of a consultancy and you would be amazed how many times clients come to us with this unfortunate setup. Repository access is not fine-grained, repos are very easily copied and/or their copies misplaced, and once you’ve checked in credentials they can be annoyingly tricky to truly delete. Using even something as simple as environment variables instead is a huge step up, and also makes your life simpler in many ways when working across multiple environments.
Perfect security doesn’t exist. World-class security is hard. But decent security is generally quite accessible, if you faithfully follow some basic rules. In order to do so, it’s best to keep those rules to a minimum, and get rid of the ones that don’t make sense. Password expiration is one of those. Goodbye to it, and good riddance.
相关文章
- Your branch is behind 'origin/master' by N commits, and can be fast-forwarded 解决方法
- 问题-XE8报Object factory for class{xx-xx-xx-xx-xx} is missing. To register it, you can drop component[TFDGUIxWaitCursor] into your project.
- Java实现 洛谷 P1200 [USACO1.1]你的飞碟在这儿Your Ride Is He…
- Java实现 洛谷 P1200 [USACO1.1]你的飞碟在这儿Your Ride Is He…
- bug--Unable to add window –token is not valid; is your activity running?
- python卸载或者安装时提示There is a problem with this Windows Installer package.A program required for this install to complete could not be run. Contact your support personnel or package vendor
- IS-IS详解(十五)——IS-IS 认证
- How to determine whether your http request starting from localhost is correctly forwarded
- How is dependent libraries defined in metadata loaded in the runtime
- How is SAP UI5 Aggregation designed
- How to check if one event is cancel event - #Exit#
- SAP Fiori Elements - how is read only field implemented in UI
- How to determine whether your http request starting from localhost is correctly forwarded
- 成功解决ERROR: Could not build wheels for bottleneck, which is required to install pyproject.toml-based
- 成功解决 RecoveryYour PC/Device needs to be repairedThe Boot c onfiguration Data for your PC is missin
- 已解决pytesseract.pytesseract.TesseractNotFoundError: tesseract is not installed or it‘s not in your PA
- 已解决WARNING: The repository located at mirrors.aliyun.com is not a trusted or secure host and is bein
- 已解决TypeError: Object of type JpegImageFile is not JSON serializable
- The NVIDIA driver on your system is too old (found version 10000). Please update your GPU driver by
- linux - 启动solr 报错 Your Max Processes Limit is currently 31202. It should be set to 65000 to avoid operational disruption.
- 玩转华为ENSP模拟器系列 | 配置动态BFD for IS-IS特性示例
- [Azure - VNet] 解决办法:Azure P2S VNet无法建立网络连接。“parameter is incorrect“ (Error 87 参数错误)
- 微服务调用时候,报错:nested exception is feign.RetryableException: Read timed out executing GET http://hystrix