Do not punish the authorized. Security controls recommending complex passwords that be rotated every 90, or worse, 30 days (yes it happens) are terrible and degrading security as a whole.

Relevant, recent articles:

Going forward:

  • Sysadmins, security professional, and developers…it is your job to make better choices and not punish the authorized while adding to security theater with password-only based authentication
  • Implement two-factor authentication at the gates. All of the your public entry points should have two-factor auth without debate. That includes webmail, vpn, etc. That doesn’t mean that, depending on the system, you can have trust profiles to not prompt for a factor if you have previously trusted the machine or work with better second factor options that are almost transparent to the user.
  • Consider the threat model. Have a trust profile for the user. Adjust authentication based that.
  • Overall, focus on making it easy for the user and hard for the attacker.
  • I am excited for the future (e.g. fido alliance) and cringe everyday knowing the current state.
Like what you read? Give Jones Smithville a round of applause.

From a quick cheer to a standing ovation, clap to show how much you enjoyed this story.