https://techcrunch.com/2019/06/02/password-expiration-is-dead-long-live-your-passwords/
Automated password tools can change privileged passwords on a regular schedule. For some, changing once every 30 days is reasonable and for others, daily password changes make sense.
In either case, significant value comes from having unique passwords for every device. It was normal for every server in an organization to have the same Administrator password or root password for Linux / UNIX systems). Just giving each device a unique password makes a hacker's life more difficult as they try to move around your network.
The quote from the article "If a password is never stolen, there’s no need to expire it" seems to ignore the fact that in most breaches, the password was stolen or cracked MONTHS before that is discovered. If you automatically change the password the day after it is cracked, the hacker may not have had time to elevate their privileges and create new credentials for themselves. If they have created new credentials, an automated system may on-board the new account(s) and "rotate" or change the password(s) before they can make the most damaging use of it.
There are also systems that can determine if a credential was created without using the "approved" process, and delete them automatically.
Attempts to access an account repeatedly, trying multiple passwords (to guess the correct one) can be defeated by limiting the allowable # of sign-on attempts per hour or day. Another effective technique is to limit signons to specific time-windows (your regular shift) and geographic locations (your home or office) - exceptions (like working from Hong Kong this week) can be setup to require manager's approval or some other secondary approval mechanism.
As for changing our personal passwords - try changing them every month, and use different UserIDs AND passwords of every app. I also advocate long passwords made up of real words separated by special characters - "My@Camel$Smokes#Hash!123" is much harder to crack than "$i!!y-R@bb1t!" simply because of the number of characters. Second factor (two-factor) authentication where the product sends you a code (that must be entered in a given time span) via a text message (or phone call) are very worthwhile and should be the standard already.
With the looming approach of Quantum Computing, many in the industry believe that cracking of passwords and encryption keys will become very quick - nobody is sure what will replace them ...
No comments:
Post a Comment