As I read through the new guidelines from the US National Institute of Standards and Technology (NIST) about only changing passwords for a valid reason or condition, I thought these people were nuts. But then I kept reading…I realized that they could be onto something for improving password management without compromising security. This blog is a request for opinions from every admin out there who deals with security and/or password management. Please be as specific as possible in your responses.
Here’s a summary list of the changes to the guidelines (as they pertain to this blog):
1- 64 character length for passphrases [printable ASCII characters, spaces, Unicode characters including emoji]
2- Validate new passwords against a dictionary of well-known bad choices
3- No password hints
4- No knowledge based authentication [pick from a list of questions]
Looking at the list above, it seems like a natural advancement towards better security for organizations. However, not expiring passwords? Really?
This week, I had the privilege of discussing this topic with the CISO of a large retailer. His position was that changing passwords is a good second layer of defense against a situation in which a contractor or employee leaves an organization but the organization forgets to disable their account. That got me thinking, he’s right! Many organizations depend on password changes vs. controls and audits. So what should an organization do?
1- Should we mandate better controls instead of password changes?
2- Should audits be part and parcel of operations, for example, a list can be sent on a routine basis to the hiring managers informing them of who got terminated?
3- If a breach happens somewhere else, how do we audit the current passwords to ensure they were not part of that breach?
I’m curious about moving this discussion forward with your thoughts to determine the password controls needed by each of our organizations. Please click on the link below to comment!
President and Enterprise Architect