[OWASP-Philadelphia] GCHQ Password Guidance
Justin Klein Keane
justin at madirish.net
Fri Sep 18 16:27:46 UTC 2015
Hello all,
I'm sure everyone on this list deals with passwords quite regularly
and so I thought it might be useful to pass along a link to a recent
publication from GCHQ (the British intelligence agency) concerning
passwords. There are a number of extremely good pieces of advice
throughout the 13 page document that are not only applicable, but come
from a very reputable source so might be useful in influencing
organizational security policy or bolstering recommendations you may be
making as part of security evaluations.
My favorite recommendation supports a point I've been trying to make
for years - namely that forcing users to choose new passwords every 30,
60, or 90 days actually hurts, rather than helps, your security posture:
"Regular password changing harms rather than improves security, so avoid
placing this burden on users. However, users must change their
passwords on indication or suspicion of compromise"
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf
Cheers,
--
Justin C. Klein Keane
http://www.MadIrish.net
More information about the OWASP-Philadelphia
mailing list