Kevin Mitnick and I are passionately debating the right password policy, using our decades of knowledge and real-life hacking experience.
Listen to it all go down. Register at https://event.on24.com/wcc/r/1856107/295DE6CAB72FFD67B1323DDF19759750?partnerref=SpiceRG2
Ever since the National Institute of Standards and Technology (https://www.nist.gov) submitted Special Publication 800-63 (https://pages.nist.gov/800-63-3/), Digital Identity Guidelines, for review a few years ago, the computer security world has been debating or intentionally ignoring its newest recommended password policies which run starkly contrarian to decades of previous advice. The new advice is so contrary to decades of previous advice, from the same organization, that virtually no one believes it. Certainly, almost no one is using it.
Buried among a thousand other pieces of advice, NIST now says that password policies that require long, complex, frequently changing passwords puts users and their companies at MORE risk than simply requiring shorter, non-complex, never-changing passwords.
In one corner we have Kevin Mitnick, Chief Hacking Officer of KnowBe4, Inc., and one of the world’s best and most knowledgeable hackers. He’s got tons of real-life experience where his trillion-a-second-password-cracker tool revealed the exact passwords that NIST is recommending.
In the other, you have, me, Roger A. Grimes, Knowbe4’s Data-Driven Defense Evangelist arguing that the NIST nerds have it right. While Kevin is right about NIST passwords being easier to crack, that it doesn’t change the support behind NIST’s new recommendations. I know many of the people and computer scientists who submitted the data that ended up convincing NIST to reverse their own long-standing recommendations.
Complicating the new recommendations is the fact that there’s nearly no one on NIST’s side. None of the big laws and regulations (e.g. PCI-DSS, HIPAA, SOX, NERC, etc.) have changed their long-standing password guidance. If you even tried to change your password policy to match what NIST’s data says should be your new password policy, you wouldn’t survive a single compliance audit…and the boss’ that pay your paycheck won’t approve.
So, it’s the penultimate battle of security versus compliance, and so far, to me, it looks like compliance is winning over security. Except for the looming fact that 99% of the world’s computer security experts support the old policy and think it’s more secure anyway.
It’s real-life uber hacker vs. me, a data geek, who just happens to also have 30-years of penetration testing experience…although I will readily admit I’m not as good as Kevin. But I’ve seen the data…and the data is pretty convincing. It’s pen versus the sword, and I know we should all be using the new password policy recommendations.
Kevin and I “got into it” on an internal company email thread. Perry Carpenter said he was sitting back, watching, eating popcorn. It went back and forth for days. Some “victims” got in between me and Kevin and tried to calm things down. It didn’t work. Stu, CEO of KnowBe4, loved it, and decided it’s glory had to be shared with the internet. Perry got roped in as the host and referee.
Come check it out!
For this article and other interesting information, please refer to the source.