One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 409105 |
| Date de publication | 2017-08-13 18:00:58 (vue: 2017-08-13 18:00:58) |
| Titre | NBlog August 13 - updating |
| Texte |  Another basic information security practice is updating e.g.:Patch promptly (update software)Lock-n-load (physical security)Counter cons (social engineering)Nuke nasties (update antivirus) Read rules (security policies)Those short alliterative phrases are memory-joggers to catch people's imagination and remind them about the things they ought to be doing regularly.Conspicuously missing from the list is changing passwords: once upon a time, it was generally accepted practice to force people to change their passwords every few weeks or months. I have never quite understood the rationale for this. It takes effort to think up and commit to memory yet another strong password, and there are security costs when people forget their passwords, so what's the benefit? I suppose it might frustrate someone who has been surreptitiously watching a colleague enter their password every day, trying to figure out what they are typing ... but really? Arguably it would reduce the success rate of repeated brute-force password guesses - that ought to be triggering alarms anyway. I just don't get it and nor, now, does NIST:"Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator."That comes from NIST Special Publication 800-63B - Digital Identity Guidelines: Authentication and Lifecycle Management, published in June and recently picked up by the security press.The list of things to include in the InfoSec 101 awareness module is becoming clearer by the day. |
| Envoyé | Oui |
| Condensat | read 101 63b 800 :patch about accepted alarms alliterative another antivirus anyway arbitrarily are arguably august authenticator awareness basic becoming been benefit brute but catch change changed changing character characters clearer colleague comes commit composition compromise cons consecutively conspicuously costs counter day different digital does doing don effort engineering enter every evidence figure force forget from frustrate generally get guesses guidelines: authentication has have however identity imagination impose include information infosec joggers june just lifecycle list load lock management memorized memory might missing mixtures module months nasties nblog never nist nist: nor not now nuke once other ought out password passwords passwords: people periodically phrases physical picked policies practice press prohibiting promptly publication published quite rate rationale really recently reduce regularly remind repeated require requiring rules secrets security shall short should social software someone special strong success suppose surreptitiously takes them things think those time triggering trying types typing understood update updating upon verifiers watching weeks what when who would yet |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.