![]() There is a huge cost to organizations for a password expiration program. BEHAVIORAL COST: It always amazes me how people in our field always look at security from a risk mitigation perspective, but often forget the cost perspective.It does not do anything to actually secure you. Regular password changing only makes you feel more secure. So by the time you get around to changing your passwords the bad guys are long gone. And when the bad guy gets your password, they are not going to wait the required "90 days", they are going to leverage it within hours. Basically, since the threat model has changed, if your password is compromised, it will almost certainly be collected in seconds, not months. Cyber criminals infect your computer with keystroke loggers, data harvesting via phishing websites, people sharing or reusing passwords, social engineering attacks over the phone, SMS texting, or a number of other methods. Passwords that would have taken your average cyber attacker 90 days to crack twenty years ago now takes literal seconds, thanks to solutions like AWS.Īlso, the greatest risk to your password is no longer cracking, but password harvesting. First, most of today's "average" or "bad" passwords can be quickly cracked in the cloud. OUTDATED THREAT MODEL: In the past twenty plus years, both technology and the threat model have radically changed.Cormac Herley, Gene Spafford of Purdue and the Chief Technologist at FTC, to name just a few, have been working hard to kill password expiration. People like Per Thorsheim, Microsoft's Dr. There has been a community effort to kill password expiration for years, this is not something new. Let’s take a look at why this is the case. The problem is that organizations and security standards (looking at you, PCI-DSS) have not kept up and continue to promote outdated and harmful practices simply because that is how it has always been done. In fact, if you conduct a risk-based analysis, you will quickly determine that password expiration does far more harm than good and actually increases your risk exposure. Password expiration is no longer relevant. If you did not advocate the regular changing of passwords, you were obviously an incompetent security professional.įast forward to today. Over time, this guideline became a requirement for many different standards and become embedded in security folklore. ![]() So, the thinking was if the average password could be cracked in 90 days, people should get into the habit of changing their passwords every 90 days. In other words, if an attacker hacked into a website and was able to copy of all the password hashes, (passwords are not secured via encryption, but instead one-way hashes) hackers could attempt to automate the process of guessing the passwords. Years ago (decades, even) it was estimated that it would take the average computer approximately 90 days to ‘crack’ the average password hash. And while there are several reasons behind the password expiration policy, most at this point seem obsolete. ![]() Essentially, it’s when an organization requires their workforce to change their passwords every 60, 90 or XX number of days. Immediately apply the skills and techniques learned in SANS courses, ranges, and summits ![]()
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |