8 August 2020
The Password Policy Guide(1) published by the Center for Internet Security (CIS) on 29 July 2020 drowned in the omnipresent noise of vulnerabilities and data breaches.
Wrongly, because the CIS guide puts an end to the commonly accepted practice of complex passwords, namely those that are easy to crack but hard to remember.
The guide recommends:
- The use of passphrases because users will select longer, more-secure passwords.
- Event-based password expiration with an annual change as a backstop.
- And the use of password managers.
Especially for password managers the guide recommends:
“Use of these should be actively encouraged for use with password-only authentication systems (especially if the user needs to manage access to multiple of these systems)”
And, where “feasible, using MFA instead of just a master password to gain access to the Password Manager is preferred”
Yubikey for MFA and KeePassXC
For some months now I mainly work on a Linux desktop. Unfortunately, I often must switch to Windows because of Word and Powerpoint. So, I use KeePassXC to allow easy switching between the operating systems.
My cloud account is secured with Yubikey, and so is my KeePassXC database. Works fine on Windows and Linux.
To boost user experience and password security, please give the CIS Password Policy Guide the attention it deserves.
Have a great weekend.
References
- White Paper: CIS Password Policy Guide [Internet]. Center for Internet Security. [cited 2020 Aug 8]. Available from: https://www.cisecurity.org/white-papers/cis-password-policy-guide/.
IT Security Matters 