Mitnick In The News
We Need to Talk About NIST’s Dropped Password Management Recommendations
Passwords and their protection are among the most fundamental, essential aspects of enterprise data security. They also make up the bane of most users’ relationships with their enterprise devices, resources and assets. It seems no matter how stringent or lax your password policy is, the directive will be met with dissension from a significant portion of your staff. It’s frustrating for everyone — the IT department, C-suite and employees.
Recently, the National Institute of Standards and Technology (NIST) reversed its stance on organizational password management requirements. The institute now recommends banishing forced periodic password changes and getting rid of complexity requirements.
The reasoning behind these changes is that users tend to recycle difficult-to-remember passwords on multiple domains and resources. If one network is compromised, that’s a potential risk for other domains.
Are password managers the answer? Sure, they help generate great, complex passwords and act as a vault for all of our credentials. But they still require a master password — a risk similar to using one set of credentials across platforms. So where do we go from here? Are password managers safe from compromise, or are we doomed to a future of continued password problems?
Passwords: Can’t Live With ‘Em…
It’s clear that a winning formula for password management and policy isn’t one-size-fits-all. Based on my years of experience drafting and enforcing corporate password policies, most tactics fail to catch on.
Two of the best-known experts in the field — Kevin Mitnick, chief hacking officer for KnowBe4, and security pundit Frank Abagnale, made famous in the film “Catch Me If You Can” — have slightly differing opinions. But at the end of the day, their views generally echo each other.
Abagnale once told CRN that passwords themselves are “the root of all evil.” More recently, he told SecurityIntelligence that passwords “are for treehouses.”
“Many of the security issues we see today stem from passwords,” Abagnale said. “This is a 1964 technology, developed when I was 16 and still being used in 2018 — and I’m 70 years old.”
…Can’t Live Without ‘Em
Mitnick and Abagnale foresee a world in which passwords are no longer part of the security equation. But until that happens, we need to work with them. Mitnick recommended implementing simple, but long passphrases of 25 characters or more, such as “I love it when my cat purrs me to sleep.” But this is only the first step.
“The 25-character password is... (continued)
To read the full article and other great articles please visit the source.