This is still a consistent battle with SecOps teams and many clients have contradictory ideas of best practice in this area. I think clarity is desperately needed.
+1 On Mon, 6 Dec 2021 at 14:42, Jeffrey Walton <noloa...@gmail.com> wrote: > On Mon, Dec 6, 2021 at 8:59 AM Kurt Seifried <k...@seifried.org> wrote: > > > > I think it's not an OBSOLETE issue, it's an active change in policy due > to further research and knowledge. > > > > A great parallel is "3DES is good. USE 3DES!" which was a GREAT policy > in 1998. It has since been retired and its use has been banned by NIST > after 2023 ( > https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-of-TDEA > ). > > > > Why is the password aging issue any different? In fact, it's pretty much > identical, NIST said this was a good idea, further research/technology > movement happened and we learned it was a bad idea. So bad in fact it > should probably be banned. > > > > Also, the ONE positive aspect of rotating passwords, which is an > attacker gets a password, uses it, and this effectively locks them out, > means your controls are so weak that: > > > > 1) you can't detect an attacker in the system and you basically have to > hope they get locked out after 30/60/90/whatever days because of password > rotation > > 2) your users are choosing bad passwords and/or exposing them somehow > (phishing?) which means your access controls are basically doomed to fail > at some point anyways > > > > and password rotation effectively covers this up and prevents real > movement forwards. > > +1. > > Jeff > > -- > You received this message because you are subscribed to the Google Groups > "Security" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to security+unsubscr...@codat.io. > To view this discussion on the web, visit > https://groups.google.com/a/codat.io/d/msgid/security/CAH8yC8knf_nud-%3DZtDVGvCwyKSugxSc6tF86H6xkbMCvskoMjw%40mail.gmail.com > . > -- Jason Dryhurst-Smith Head of Engineering 301 Ink Rooms, 28 Easton Street, London WC1X 0BE Linkedin <https://www.linkedin.com/in/jason-dryhurst-smith-55026739/>