8 August 2020
The Password Policy Guide(1) published by the Center for Internet Security (CIS) on 29 July 2020 drowned in the omnipresent noise of vulnerabilities and data breaches.
Wrongly, because the CIS guide puts an end to the commonly accepted practice of complex passwords, namely those that are easy to crack but hard to remember.
The guide recommends:
- The use of passphrases because users will select longer, more-secure passwords.
- Event-based password expiration with an annual change as a backstop.
- And the use of password managers.
Especially for password managers the guide recommends:
“Use of these should be actively encouraged for use with password-only authentication systems (especially if the user needs to manage access to multiple of these systems)”
And, where “feasible, using MFA instead of just a master password to gain access to the Password Manager is preferred”
Yubikey for MFA and KeePassXC
For some months now I mainly work on a Linux desktop. Unfortunately, I often must switch to Windows because of Word and Powerpoint. So, I use KeePassXC to allow easy switching between the operating systems.
My cloud account is secured with Yubikey, and so is my KeePassXC database. Works fine on Windows and Linux.
To boost user experience and password security, please give the CIS Password Policy Guide the attention it deserves.
Have a great weekend.
- White Paper: CIS Password Policy Guide [Internet]. Center for Internet Security. [cited 2020 Aug 8]. Available from: https://www.cisecurity.org/white-papers/cis-password-policy-guide/.
8 November 2014
The Report ‘Research shows enterprises leaking shadow data to the cloud’ by Rob Wright is absolutely worth reading:
‘A new study by cloud security startup Elastica shows that enterprise employees are unknowingly leaking sensitive data through cloud apps and services.’
The results from a review of about 100 million files from approximately 100 different companies are really alarming:
‘185 files on average are shadow data — data that is uploaded to cloud services such as Dropbox or Google Drive — which has been broadly shared without approval via cloud services with either the entire enterprise or people outside of the company. Worse, 20% of those broadly shared files contain compliance data, with 56% of that compliance data being personally identifiable information such as social security numbers, 29% being personal health information, and 15% being payment card information.’
But the assumption that employees share sensitive information unknowingly, is in my opinion unrealistic. Employees use Dropbox or Skydrive to simplify their daily work!
Although BYOD is a hot topic for years now most of the businesses are not yet aware of the problem. Even if a company has not started a BYOD program, or has deliberately opted against a BYOD program, the existing policies have to be updated and communicated to all employees. If the company has decided against a BYOD program it is very important to communicate the reasons for this decision to all employees.
IT groups must implement appropriate measures to support the business strategy regarding BYOD, e.g. block Dropbox or Skydrive and provide effective and easy to use means for communication with external Partners.
Enjoy the colors …
Evening Colors, 49°35’48.1″N 6°37’05.8″E
to find some peace of mind for reading the White Paper.