Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Inactive Support Threads
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Software
General Apps
Passwords and passkeys
Everything I Thought About Password Expirations Is Correct (and the Experts Finally Agree)
Message
<blockquote data-quote="bazang" data-source="post: 1104508" data-attributes="member: 114717"><p>The problem is not the password policies.</p><p></p><p>A password manager, along with MFA, should always be used and a requirement of employment (new hire & continuing) is that the employee has to prove they are competent in their use. The company should provide the training for employees who need it, but ultimately the employee has to prove they have a minimum competence using basic, expected cyber security practices. For any that keep contacting IT\sysadmin to fix login problems, IT\sysadmin should be instructed to report those individuals to human resources so a determination can be made as to what is going on with the people. Are they incompetent? Are they negiligent? Are they not following procedures? They do not know how to store a new password in a password manager?</p><p></p><p>Security is not software. It is a process.</p><p></p><p></p><p></p><p>The minimum secure password requirement length is 16 and it must allow all characters, capital, lowercase, numbers, and symbols that are in the ASCII BASIC set.</p><p></p><p>The key feature of password security is its entropy. Without sufficiently high entropy, the password can be easily brute force attacked or credential-stuffed.</p><p></p><p>Entropy increases with password length and increased, random use of all character types. Permitting ASCII Extended in passwords shoots the password entry through the roof. A 25 character length password with 160 entropy value will increase to between 200 and 300 simply by permitting ASCII Extended characters.</p><p></p><p>You know the really big hacks that get reported here and make people upset? Many of them are caused by the silly and stupid arguments against strictly enforced passwords and resets. If people would lose their jobs because they are not following security procedures, then that would create change.</p><p></p><p>Any company that uses weak password policies is making itself easily hackable, and all your data too. People are always the problem. ALWAYS.</p></blockquote><p></p>
[QUOTE="bazang, post: 1104508, member: 114717"] The problem is not the password policies. A password manager, along with MFA, should always be used and a requirement of employment (new hire & continuing) is that the employee has to prove they are competent in their use. The company should provide the training for employees who need it, but ultimately the employee has to prove they have a minimum competence using basic, expected cyber security practices. For any that keep contacting IT\sysadmin to fix login problems, IT\sysadmin should be instructed to report those individuals to human resources so a determination can be made as to what is going on with the people. Are they incompetent? Are they negiligent? Are they not following procedures? They do not know how to store a new password in a password manager? Security is not software. It is a process. The minimum secure password requirement length is 16 and it must allow all characters, capital, lowercase, numbers, and symbols that are in the ASCII BASIC set. The key feature of password security is its entropy. Without sufficiently high entropy, the password can be easily brute force attacked or credential-stuffed. Entropy increases with password length and increased, random use of all character types. Permitting ASCII Extended in passwords shoots the password entry through the roof. A 25 character length password with 160 entropy value will increase to between 200 and 300 simply by permitting ASCII Extended characters. You know the really big hacks that get reported here and make people upset? Many of them are caused by the silly and stupid arguments against strictly enforced passwords and resets. If people would lose their jobs because they are not following security procedures, then that would create change. Any company that uses weak password policies is making itself easily hackable, and all your data too. People are always the problem. ALWAYS. [/QUOTE]
Insert quotes…
Verification
Post reply
Top
