Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Edge Articles

12/5/2019
02:00 PM
Joan Goodchild
Joan Goodchild
Edge Features
100%
0%

10 Security 'Chestnuts' We Should Roast Over the Open Fire

These outdated security rules we all know (and maybe live by) no longer apply.

Roast: Use Complex Passwords. Change Them Periodically.

"Passwords have almost zero redeeming value left at this point, especially with how many breaches have already compromised so many of them," says Akamai CSO Andy Ellis. "The password complexity requirements -- almost perfectly designed to make them hard for humans to remember -- added to rules like 'don't write them down' have created incentives for most humans to reuse passwords. And a password breached at one site is useful for breaking into another one. So let's retire the password rules and look at some options."

Among his suggestions: "If you would let a user reset a password with a click from a known email account, consider moving to email based login," he says. "If you need something stronger, use a push-based MFA."

Aaron Turner, president and CSO of HighSide, also thinks the password should be swapped out for other forms of authentication. But for those not ready to give them up, the time-driven reset should be done away with completely, he says. It is an outdated practice that no longer holds up against current attack methods of calculating password patterns.

(Image: designer491, via Adobe Stock)

(Continued on next page)

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Previous
2 of 11
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mgotts
100%
0%
mgotts,
User Rank: Strategist
12/9/2019 | 3:53:27 PM
Re: challenge questiions
You beat me to it. Challenge questions have value so long as you use meaningless answers. In many cases I let the password manager generate additional random passwords and then enter those as challenge question answers.  Also, if possible I choose questions that have little or no applicibility to me.

So, challenge questions DO have some value if they are meaningless and/or random.
RDENAT012
100%
0%
RDENAT012,
User Rank: Apprentice
12/9/2019 | 9:07:47 AM
challenge questiions
Regarding Challenge questions.  Agree with the points made by the author.  That said, there's no reasons why the answers need to have anything to do with reality.  I give 'fraudulent' answers all the time.  Just remember to write questions & answers in your password manager.  ;-)
Flash Poll