Do not punish the authorized. Security controls recommending complex passwords that be rotated every 90, or worse, 30 days (yes it happens) are terrible and degrading security as a whole.
Relevant, recent articles:
- Sysadmins, security professional, and developers…it is your job to make better choices and not punish the authorized while adding to security theater with password-only based authentication
- Implement two-factor authentication at the gates. All of the your public entry points should have two-factor auth without debate. That includes webmail, vpn, etc. That doesn’t mean that, depending on the system, you can have trust profiles to not prompt for a factor if you have previously trusted the machine or work with better second factor options that are almost transparent to the user.
- Consider the threat model. Have a trust profile for the user. Adjust authentication based that.
- Overall, focus on making it easy for the user and hard for the attacker.
- I am excited for the future (e.g. fido alliance) and cringe everyday knowing the current state.