steven36 Posted June 3, 2019 Share Posted June 3, 2019 May was a momentous month, which marked a victory for sanity and pragmatism over irrational paranoia. I’m obviously not talking about politics. I’m talking about Microsoft finally — finally! but credit to them for doing this nonetheless! — removing the password expiration policies from their Windows 10 security baseline. Although NIST and others precede this and deserve that credit, I think it’s worth taking a moment to recognize this moment in time as truly a fundamental change in the industry. — SwiftOnSecurity (@SwiftOnSecurity) May 31, 2019 Many enterprise-scale organizations require their users to change their passwords regularly. This is a spectacularly counterproductive policy. To quote Microsoft: Recent scientific research calls into question the value of many long-standing password-security practices such as password expiration policies, and points instead to better alternatives … If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem. …If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration? …Periodic password expiration is an ancient and obsolete mitigation of very low value If you have a password at such an organization, I recommend you send that blog post to its system administrators. They will ignore you at first, of course, because that’s what enterprise administrators do, and because information security (like transportation security) is too often an irrational one-way ratchet because our culture of fear incentivizes security theater rather than actual security — but they may grudgingly begin to accept that the world has moved on. Instead: Use a password manager like LastPass or 1Password. (They have viable free tiers! You really have no excuse.) Use it to eliminate or at least minimize password re-use across sites. Use two-factor authentication wherever possible. Yes, even SMS two-factor authentication, despite number-porting and SS7 attacks, because it’s still better than one-factor authentication. And please, if you work with code or data repositories, stop checking your passwords and API keys into your repos. I’m the CTO of a consultancy and you would be amazed how many times clients come to us with this unfortunate setup. Repository access is not fine-grained, repos are very easily copied and/or their copies misplaced, and once you’ve checked in credentials they can be annoyingly tricky to truly delete. Using even something as simple as environment variables instead is a huge step up, and also makes your life simpler in many ways when working across multiple environments. Perfect security doesn’t exist. World-class security is hard. But decent security is generally quite accessible, if you faithfully follow some basic rules. In order to do so, it’s best to keep those rules to a minimum, and get rid of the ones that don’t make sense. Password expiration is one of those. Goodbye to it, and good riddance. Source Link to comment Share on other sites More sharing options...
The AchieVer Posted June 5, 2019 Share Posted June 5, 2019 Microsoft says Windows 10 passwords shouldn’t expire: Time for other companies to take note Coming up with new passwords is a headache for users – and a security risk. So why do we still have to do it so often Making passwords expire is an obsolete way of protecting user accounts – and may even be doing more harm that good. Not only do passwords that expire every 30 or 60 days create a headache for users who have to dream up a new one, and remember it, they may not improve security at all. Now Microsoft has changed its stance, removing the recommendation that passwords should expire after a particular period that was previously part of its security guidelines for Windows 10 and Windows Server. Microsoft announced its intention to dump password expiry when the draft guidance was published, which my colleague Liam Tung wrote about. As Microsoft explains: "Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there's no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem." It goes on: "Periodic password expiration is an ancient and obsolete mitigation of very low value." Rather than depend on users tweaking passwords (and then writing them on a post-it note) companies should have a broader approach to authentication and security, it says. And it's not saying that we are not changing requirements for minimum password length, history, or complexity. Taking password expiry out of its baseline means that companies can make their own decisions without being penalised by auditors, the company said. "By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines," it said. Microsoft has been predicting the death of the password for more than a decade, and recently has been ramping up its efforts to make that come true. It has long argued that passwords are inconvenient, insecure and expensive to businesses. It argues that they should be replaced with multi-form authentication and biometrics (although biometrics have their own issues, too). Microsoft is hardly alone in making this leap. The UK's National Cyber Security Center (NCSC) recently published a set of best practices for passwords – warning that a bad strategy for passwords that puts too much pressure on users can make your business less secure, not more. "Inevitably, users will devise their own coping mechanisms to cope with 'password overload'. This includes re-using the same password across different systems, using simple and predictable password creation strategies, or writing passwords down where they can be easily found," it warns. NCSC suggests that organisations reduce their reliance on passwords and use single sign-on or biometrics where available (although biometrics in particular come with their own risks). Monitoring password systems for unusual behaviour, using account throttling to defend against brute force attacks, and blacklisting common or guessable passwords are all good practice, it said. Multi-factor authentication for important or vulnerable accounts is good policy too. But forcing regular password changes harms rather than improves security, it said. Users are likely to choose new passwords that are only minor variations of the old, and in any case a password that is stolen is generally used by hackers immediately, so resetting it up to 90 days later is rather a waste of time. Despite security experts calling time on password expiration policies, it's still common across many, if not most, organisations for passwords to expire after a relatively short period of time. Mostly that's down to organisational inertia – there was a time when changing passwords regularly still seemed like a good idea, and the new approach hasn't filtered down to the tech security team. There's also a lot of caution around changing IT policies; nobody wants to be the one to change the status quo and then get blamed when it goes wrong. But there are lots of companies that rely on an aggressive password expiry policy as pretty much their only defence against accounts being hijacked, whereas in reality security has to go well beyond that. At least for now, passwords still have their place, but making us all come up with new variations every few weeks may soon be a thing of the past. Source Link to comment Share on other sites More sharing options...
Making passwords expire is an obsolete way of protecting user accounts – and may even be doing more harm that good. Not only do passwords that expire every 30 or 60 days create a headache for users who have to dream up a new one, and remember it, they may not improve security at all. Now Microsoft has changed its stance, removing the recommendation that passwords should expire after a particular period that was previously part of its security guidelines for Windows 10 and Windows Server. Microsoft announced its intention to dump password expiry when the draft guidance was published, which my colleague Liam Tung wrote about. As Microsoft explains: "Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there's no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem." It goes on: "Periodic password expiration is an ancient and obsolete mitigation of very low value." Rather than depend on users tweaking passwords (and then writing them on a post-it note) companies should have a broader approach to authentication and security, it says. And it's not saying that we are not changing requirements for minimum password length, history, or complexity. Taking password expiry out of its baseline means that companies can make their own decisions without being penalised by auditors, the company said. "By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines," it said. Microsoft has been predicting the death of the password for more than a decade, and recently has been ramping up its efforts to make that come true. It has long argued that passwords are inconvenient, insecure and expensive to businesses. It argues that they should be replaced with multi-form authentication and biometrics (although biometrics have their own issues, too). Microsoft is hardly alone in making this leap. The UK's National Cyber Security Center (NCSC) recently published a set of best practices for passwords – warning that a bad strategy for passwords that puts too much pressure on users can make your business less secure, not more. "Inevitably, users will devise their own coping mechanisms to cope with 'password overload'. This includes re-using the same password across different systems, using simple and predictable password creation strategies, or writing passwords down where they can be easily found," it warns. NCSC suggests that organisations reduce their reliance on passwords and use single sign-on or biometrics where available (although biometrics in particular come with their own risks). Monitoring password systems for unusual behaviour, using account throttling to defend against brute force attacks, and blacklisting common or guessable passwords are all good practice, it said. Multi-factor authentication for important or vulnerable accounts is good policy too. But forcing regular password changes harms rather than improves security, it said. Users are likely to choose new passwords that are only minor variations of the old, and in any case a password that is stolen is generally used by hackers immediately, so resetting it up to 90 days later is rather a waste of time. Despite security experts calling time on password expiration policies, it's still common across many, if not most, organisations for passwords to expire after a relatively short period of time. Mostly that's down to organisational inertia – there was a time when changing passwords regularly still seemed like a good idea, and the new approach hasn't filtered down to the tech security team. There's also a lot of caution around changing IT policies; nobody wants to be the one to change the status quo and then get blamed when it goes wrong. But there are lots of companies that rely on an aggressive password expiry policy as pretty much their only defence against accounts being hijacked, whereas in reality security has to go well beyond that. At least for now, passwords still have their place, but making us all come up with new variations every few weeks may soon be a thing of the past. Source
Karlston Posted June 5, 2019 Share Posted June 5, 2019 Similar topics merged. Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.