[ad_1]
Microsoft finally adopts a maxim that security experts have almost universally accepted for years: periodic changes to the password may cause more harm than good.
In a largely neglected article released last month, Microsoft announced the removal of periodic password changes from the basic security settings recommended by its customers and auditors. After decades of Microsoft recommending regular password changes, Microsoft employee Aaron Margosis said it was an "old, outdated, very low value mitigation measure" .
The change of heart is largely the result of research showing that passwords are most likely to tear when they are easy to remember for end users, for example, when they use a name or phrase from a movie or book favorite. Over the past decade, hackers have exploited real-world password violations to assemble dictionaries of millions of words. Combined with high-speed graphics cards, hackers can make many assumptions during offline attacks, which occur when they steal cryptographically encrypted hashes that represent plain text user's passwords. .
Even when users are trying to hide their easy-to-remember passwords, adding letters or symbols to words, or substituting 0 for o's or 1's for them, hackers can use programming rules that alter the entries in the dictionary. Therefore, these measures offer little protection against modern cracking techniques.
Researchers have increasingly come to a consensus: the best passwords have at least 11 characters, are randomly generated and consist of uppercase and lowercase letters, symbols (such as%, * or>) and numbers. These traits make them particularly difficult for most people to remember. The same researchers warned that making password changes mandatory every 30, 60 or 90 days, or at any other time, can be detrimental for many reasons. Among them, the requirements encourage end users to choose lower passwords than they would otherwise. A password that was "P @ $$ w0rd1" becomes "P @ $$ w0rd2" and so on. At the same time, mandatory changes offer little security benefit because passwords must be changed immediately in the event of a true breach rather than after a time period defined by a policy.
Despite the growing consensus among researchers, Microsoft and most major corporations have not wanted to speak out against periodic password changes. One notable exception occurred in 2016, when Lorrie Cranor, then chief technologist of the Federal Trade Commission, announced the opinion of her own employer. Almost three years later, Cranor has company.
In the blog of last month, Margosis, from Microsoft, wrote:
There is no doubt that the state of password security has been a problem for a long time. When humans choose their own passwords, they are too often easy to guess or predict. When humans are assigned or forced to create hard-to-remember passwords, they write them too often where others can see them. When humans are forced to change their passwords, they too often make a small, predictable change to their existing passwords and / or forget their new passwords. When the passwords or their hashes are stolen, it can be difficult to detect or limit their unauthorized use.
Recent scientific research is questioning the value of many long-standing password security practices, such as password expiration strategies, and instead points to better solutions such as the application banned password lists (an excellent example being Azure AD password protection) and multiple security authentication factor rules. Although we recommend these alternatives, they can not be expressed or enforced with our recommended security configuration baselines, which rely on Windows Integrated Group Policy settings and can not include customer-specific values.
He added:
The periodic expiration of the password is a defense only against the likelihood that a password (or hash) will be stolen during its validity interval and used by an unauthorized entity. If a password is never stolen, there is no need to expire it. And if you have proof that a password has been stolen, you would probably act immediately rather than waiting for the expiration to resolve the problem.
If it is obvious that a password might be stolen, how many days is an acceptable amount of time to allow the thief to use this stolen password? The default value of Windows is 42 days. Does not it seem ridiculously long? Well, if, and yet our current baseline says 60 days – and said 90 days – because forcing a frequent expiration introduces its own problems. And if it is not clear that passwords will be stolen, you will acquire these problems that no benefit. In addition, if your users are willing to respond to parking surveys that are trading a chocolate bar against their passwords, no password expiration policy will help you.
Margosis made it clear that the changes did not affect the length, history, or complexity of the recommended password in any way. And, as he also pointed out, Microsoft continues to ask users to use multifactor authentication.
Changes made to Microsoft's basic security settings will not change the default values included in Windows server versions, which, according to Margosis, remain 42 days, or even less than the suggested 60 days in the old basic settings . Nevertheless, the basic change is likely to give ammunition to employees when they advocate for changes within their own organizations. Jeremi Gosney, password security expert and founder and CEO of Terahash, also said it could also help companies fight listeners, who often find them non-compliant unless they have adopted word changes. pass within a specified period.
"Microsoft is officially launching the fight against mandatory password changes," Gosney said, "will give companies even more weight against Big Compliance."
The subtitle of this message has been changed. Previously, it was written: "Due to a major trend, the company no longer advises organizations to apply periodic changes".
[ad_2]
Source link