Gerald Beuchelt, the Chief Information Security Officer at LogMeIn talks about how changes in authentication may deliver a passwordless future.
Additionally, eliminate the frequent password change requirements, only require password changes when there was a known or suspected compromised of account credentials, and scan new and existing passwords against known lists of compromised accounts credentials.
The new NIST guidance on passwords recommend that:
- passwords never expire
- no required character complexity or variety rules be implemented
- the maximum length for passwords be set to 64 characters
- the minimum length for passwords be set to 8 characters
- passwords are checked against known bad passwords, banned lists, etc.
- no hints or knowledge-based questions be provided to someone trying to log in (like “Who was your best friend in high school?”)
- passwords only are changed when forgotten
I would add two-factor authentication to that. Where possible, my online account passwords are sixteen characters or longer. I change them after notification of a data breach or in some cases, once a year. Where feasible, I have enabled two-factor or two-step authentication for my accounts. Even on my iMac at home, I have a 24 character password. I use a different password for each online account. I use a password vault application such as 1Password or LastPass to track my passwords. I protect the password vault with a sixteen character password that I don't use anywhere else.
"Blockchains are often viewed as security pixie dust" ~ Ron Rivest, MIT professor and cryptographer.
You know that talk about a technology is over-hyped when the security chief says he wants to adopt blockchain technology but can't explain what it is or how it will benefit the organization.