Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. Microsoft’s Aaron Margosis didn’t mince his words: This week, the mighty Microsoft joined them in no uncertain terms in a blog explaining the company’s security baselines for the forthcoming Windows 10 version 1903, due in May. In 2016, the influential US National Institute of Standards and Technology (NIST) broke with generations of received wisdom by recommending that scheduled password change should be dropped from the list of good practice on the basis it now does more harm than good. Traditionally, for businesses it’s been things like complexity, minimum length, avoiding known bad passwords, and how often passwords are changed to counter the possibility of undetected compromise.Īnd yet, recently, the last of those orthodoxies – password expiration – has started to crumble. What is it about a secure password that makes us think it’s secure?
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |